<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="color: rgb(0, 0, 0); font-family: Calibri,Arial,Helvetica,sans-serif; font-size: 12pt;">
<p>More something for the developers list?</p>
<p>What Philippe here says, makes some sense to me. We could at least try to do something; what and how is another thing ;)<br>
</p>
<br>
<br>
<div style="color: rgb(0, 0, 0);">
<div>
<hr tabindex="-1" style="width: 98%; display: inline-block;">
<div id="x_divRplyFwdMsg" dir="ltr"><font color="#000000" face="Calibri, sans-serif" style="font-size: 11pt;"><b>Van:</b> Koha <koha-bounces@lists.katipo.co.nz> namens Philippe Blouin <philippe.blouin@inlibro.com><br>
<b>Verzonden:</b> woensdag 26 oktober 2016 14:52<br>
<b>Aan:</b> Koha list<br>
<b>Onderwerp:</b> Re: [Koha] F5 Attacks</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size: 10pt;">
<div class="PlainText">I disagree. If Koha is offered out of the box, and we take time to fix
<br>
security issues, then it's normal for users to expect "basic" attacks to <br>
be taken care of.<br>
<br>
More so, blocking IP is not a possibility if genuine users are involved <br>
using a station from within the library.<br>
<br>
I'm not saying you're wrong that it's mostly sysadmin work and not Koha, <br>
but it doesn't mean nothing can be done. From the apache's threads, I <br>
found nothing useful (mostly derisive comments). But we could at least <br>
talk about it.<br>
<br>
What about having a javascript preventing refresh on the page withing 5 <br>
sec of each other? Needs to be done in a way that the refresh doesn't <br>
restart the timer.<br>
<br>
What about having the OPAC search be code where the refresh will <br>
basically send nothing ? The checkbox are filled, the request is sent <br>
to the backend, but the frontend keeps nothing... I'm just smoking <br>
here, but I'm trying to induce some brainstorming in this interesting topic.<br>
<br>
Philippe Blouin,<br>
Responsable du développement informatique<br>
<br>
Tél. : (888) 604-2627<br>
philippe.blouin@inLibro.com <<a href="mailto:philippe.blouin@inLibro.com">mailto:philippe.blouin@inLibro.com</a>><br>
<br>
inLibro | pour esprit libre | <a href="http://www.inLibro.com">www.inLibro.com</a> <<a href="http://www.inLibro.com">http://www.inLibro.com</a>><br>
On 10/26/2016 07:13 AM, Jonathan Druart wrote:<br>
> Hi,<br>
> I don't think this can/must be fixed on Koha side.<br>
> It's a sysadmin duty to take care of that.<br>
> I would take a look at fail2ban to parse the web server access logs. But<br>
> make sure not to block your X librarians using the same ip ;)<br>
><br>
> On Wed, 26 Oct 2016 at 12:28 Pedro Amorim <pjamorim91@gmail.com> wrote:<br>
><br>
>> I have tested this and the stress caused on the server is very severe. It<br>
>> seems that for every request, a new zebra process is created and the server<br>
>> will only respond when the last one is finished. This ofc will result in<br>
>> time outs and eventually a crash in the server.<br>
>><br>
>> This is a major critical issue IMO, anyone who knows about this has the<br>
>> power to deny the service of any Koha online without using any additional<br>
>> hacking/attacking software.<br>
>><br>
>> The Koha I'm working on right now - still in development - is accessed<br>
>> behind a proxy server, and I will attempt to solve the problem through<br>
>> that, by limiting the requests from the same origin with very little time<br>
>> between them. Still, even if I'm successful with this, the problem will<br>
>> still lie in Koha.<br>
>><br>
>> Anyone with some sort of insight is very welcome.<br>
>><br>
>> Pedro Amorim<br>
>><br>
>> 2016-10-26 8:24 GMT+00:00 clint.deckard <clint.deckard@frontiers.co.nz>:<br>
>><br>
>>> I have had this issue appear today. I have attempted to set up<br>
>> mod_evasive<br>
>>> for apache but it doesn't seem to have solved the problem.<br>
>>> I would really appreciate some advice.<br>
>>> Clint.<br>
>>><br>
>>><br>
>>> rfblanchard wrote:<br>
>>><br>
>>>> Assume a basic opac search:<br>
>>>> <a href="http://..../cgi-bin/koha/opac-search.pl?q=dog&branch_group_l">http://..../cgi-bin/koha/opac-search.pl?q=dog&branch_group_l</a><br>
>>>> imit=branch%3A349<br>
>>>><br>
>>>> This would take about 10 seconds to return the first time.<br>
>>>><br>
>>>> Assume the user refreshes the results using f5 and keep there finger<br>
>>>> there a<br>
>>>> moment to long (3s):<br>
>>>> This would kill my server for about 1 minute.<br>
>>>><br>
>>>> Any attacker could easily make the server unresponsive indefinitely by<br>
>>>> simply holding f5 on an opac search.<br>
>>>><br>
>>>> Any recommendations on how to deal with this problem?<br>
>>>><br>
>>>> here is a sample from top:<br>
>>>><br>
>>>> Tasks: 313 total, 3 running, 309 sleeping, 0 stopped, 1 zombie<br>
>>>> %Cpu(s): 93.7 us, 5.2 sy, 0.0 ni, 1.0 id, 0.2 wa, 0.0 hi, 0.0 si,<br>
>>>> 0.0<br>
>>>> st<br>
>>>> KiB Mem: 16465036 total, 1532492 used, 14932544 free, 63180 buffers<br>
>>>> KiB Swap: 8526844 total, 0 used, 8526844 free. 505124 cached<br>
>>>> Mem<br>
>>>><br>
>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+<br>
>>>> COMMAND<br>
>>>> 7027 peischo+ 20 0 416164 162924 12756 S 58.8 1.0 0:26.43<br>
>>>> /usr/share/koha<br>
>>>> 7009 peischo+ 20 0 416800 163524 12756 S 56.5 1.0 0:33.77<br>
>>>> /usr/share/koha<br>
>>>> 7444 peischo+ 20 0 129832 15216 5900 R 37.2 0.1 0:01.12<br>
>>>> zebrasrv<br>
>>>> 7445 peischo+ 20 0 129832 15216 5900 R 35.6 0.1 0:01.07<br>
>>>> zebrasrv<br>
>>>> 1151 mysql 20 0 886564 181096 10808 S 8.6 1.1 1:27.57<br>
>> mysqld<br>
>>>> 7435 koha 20 0 25892 3272 2528 R 0.3 0.0 0:00.03 top<br>
>>>> 1 root 20 0 176144 5044 3096 S 0.0 0.0 0:01.43<br>
>>>> systemd<br>
>>>> 2 root 20 0 0 0 0 S 0.0 0.0 0:00.00<br>
>>>> kthreadd<br>
>>>><br>
>>>><br>
>>>><br>
>>>> --<br>
>>>> View this message in context: <a href="http://koha.1045719.n5.nabble">http://koha.1045719.n5.nabble</a>.<br>
>>>> com/F5-Attacks-tp5906098.html<br>
>>>> Sent from the Koha-general mailing list archive at Nabble.com.<br>
>>>> _______________________________________________<br>
>>>> Koha mailing list <a href="http://koha-community.org">http://koha-community.org</a><br>
>>>> Koha@lists.katipo.co.nz<br>
>>>> <a href="https://lists.katipo.co.nz/mailman/listinfo/koha">https://lists.katipo.co.nz/mailman/listinfo/koha</a><br>
>>>><br>
>>> _______________________________________________<br>
>>> Koha mailing list <a href="http://koha-community.org">http://koha-community.org</a><br>
>>> Koha@lists.katipo.co.nz<br>
>>> <a href="https://lists.katipo.co.nz/mailman/listinfo/koha">https://lists.katipo.co.nz/mailman/listinfo/koha</a><br>
>>><br>
>> _______________________________________________<br>
>> Koha mailing list <a href="http://koha-community.org">http://koha-community.org</a><br>
>> Koha@lists.katipo.co.nz<br>
>> <a href="https://lists.katipo.co.nz/mailman/listinfo/koha">https://lists.katipo.co.nz/mailman/listinfo/koha</a><br>
>><br>
> _______________________________________________<br>
> Koha mailing list <a href="http://koha-community.org">http://koha-community.org</a><br>
> Koha@lists.katipo.co.nz<br>
> <a href="https://lists.katipo.co.nz/mailman/listinfo/koha">https://lists.katipo.co.nz/mailman/listinfo/koha</a><br>
<br>
_______________________________________________<br>
Koha mailing list <a href="http://koha-community.org">http://koha-community.org</a><br>
Koha@lists.katipo.co.nz<br>
<a href="https://lists.katipo.co.nz/mailman/listinfo/koha">https://lists.katipo.co.nz/mailman/listinfo/koha</a><br>
</div>
</span></font></div>
</div>
</body>
</html>