<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
comment/thought/question:<br>
this code will prevent any F5 by mistake, but an attacker who WANT
to F5 will just have to prevent javascript from being executed and
"problem fixed" [for him] ?<br>
<br>
<div class="moz-cite-prefix">Le 26/10/2016 à 17:29, SUZUKI Arthur a
écrit :<br>
</div>
<blockquote
cite="mid:a63c832e-9592-c798-7937-3d9706b8869b@univ-lyon3.fr"
type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<p>Hi,</p>
<p>Please forward to koha-general since I didn't subscribed to
that one yet.<br>
</p>
<p>We had the same issue at Lyon 3, we dealt with them by adding
some code in the OpacuserJS syspref to disable page reloading
until search result completes.</p>
<p>More documentation here : <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15855">https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15855</a></p>
<p>My colleague Olivier Crouzet have improved the code since :<br>
</p>
<p><a moz-do-not-send="true" name="bugnotes" id="bugnotes">//
multi soumission Bouton Valider<br>
$("#searchsubmit").click(function(){<br>
$(this).text('en cours...').prop('disabled',true);<br>
$("#searchform").submit(); <br>
});<br>
// multi soumission Enter<br>
var submitted;<br>
$('#translControl1').bind('keyup',function() {<br>
submitted = false;<br>
}); <br>
$('#translControl1').bind('keydown',function(event) {<br>
code =
event.keyCode||event.which||event.charCode||event.char||0;<br>
if(code == 13) {<br>
if (submitted == false) {<br>
submitted = true; <br>
$('#searchform').submit();<br>
$("#searchsubmit").text('en cours...');<br>
} else {<br>
event.preventDefault();<br>
event.returnValue = false;<br>
return false;<br>
}<br>
} <br>
});</a><a moz-do-not-send="true" name="bugnotes" id="bugnotes"><br>
</a></p>
Maybe this could be integrated into core koha.<br>
All the best,<br>
Arthur<br>
<br>
<div class="moz-cite-prefix">Le 26/10/2016 à 16:28, Paul A a
écrit :<br>
</div>
<blockquote
cite="mid:5.2.1.1.2.20161026102402.044b41a8@pop.navalmarinearchive.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
At 01:29 PM 10/26/2016 +0000, Marcel de Rooy wrote:<br>
<blockquote type="cite" class="cite" cite="">Content-Language:
nl-NL<br>
Content-Type: multipart/alternative;<br>
<x-tab> </x-tab>boundary="_000_VI1PR0501MB2591816F386E0F9B467A10E1CEAB0VI1PR0501MB2591_"<br>
<br>
More something for the developers list?<br>
<br>
What Philippe here says, makes some sense to me. We could at
least try to do something; what and how is another thing ;)</blockquote>
<br>
F5 DDoS can/should be mitigated at firewall -- see e.g. <<a
moz-do-not-send="true"
href="https://debian-administration.org/article/187/Using_iptables_to_rate-limit_incoming_connections"
eudora="autourl">https://debian-administration.org/article/187/Using_iptables_to_rate-limit_incoming_connections</a>>
-- and while I somewhat agree that it would be "nice" for Koha
to consider it, I see this more as a "server admin/setup" that
has existed for many years now.<br>
<br>
Best -- Paul<br>
<br>
<br>
<br>
<blockquote type="cite" class="cite" cite="">
<hr> <font face="Calibri"><b>Van:</b> Koha <a
moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="mailto:koha-bounces@lists.katipo.co.nz"><koha-bounces@lists.katipo.co.nz></a>
namens Philippe Blouin <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:philippe.blouin@inlibro.com"><philippe.blouin@inlibro.com></a><br>
<b>Verzonden:</b> woensdag 26 oktober 2016 14:52<br>
<b>Aan:</b> Koha list<br>
<b>Onderwerp:</b> Re: [Koha] F5 Attacks</font> <br>
<br>
<font size="2">I disagree. If Koha is offered out of the box,
and we take time to fix <br>
security issues, then it's normal for users to expect
"basic" attacks to <br>
be taken care of.<br>
<br>
More so, blocking IP is not a possibility if genuine users
are involved <br>
using a station from within the library.<br>
<br>
I'm not saying you're wrong that it's mostly sysadmin work
and not Koha, <br>
but it doesn't mean nothing can be done. From the apache's
threads, I <br>
found nothing useful (mostly derisive comments). But we
could at least <br>
talk about it.<br>
<br>
What about having a javascript preventing refresh on the
page withing 5 <br>
sec of each other? Needs to be done in a way that the
refresh doesn't <br>
restart the timer.<br>
<br>
What about having the OPAC search be code where the refresh
will <br>
basically send nothing ? The checkbox are filled, the
request is sent <br>
to the backend, but the frontend keeps nothing... I'm just
smoking <br>
here, but I'm trying to induce some brainstorming in this
interesting topic.<br>
<br>
Philippe Blouin,<br>
Responsable du développement informatique<br>
<br>
Tél. : (888) 604-2627<br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:philippe.blouin@inLibro.com">philippe.blouin@inLibro.com</a>
<<a moz-do-not-send="true"
href="mailto:philippe.blouin@inLibro.com">mailto:philippe.blouin@inLibro.com</a>><br>
<br>
inLibro | pour esprit libre | <a moz-do-not-send="true"
href="http://www.inLibro.com">www.inLibro.com</a> <<a
moz-do-not-send="true" href="http://www.inlibro.com/"
eudora="autourl">http://www.inLibro.com</a>><br>
On 10/26/2016 07:13 AM, Jonathan Druart wrote:<br>
> Hi,<br>
> I don't think this can/must be fixed on Koha side.<br>
> It's a sysadmin duty to take care of that.<br>
> I would take a look at fail2ban to parse the web server
access logs. But<br>
> make sure not to block your X librarians using the same
ip ;)<br>
><br>
> On Wed, 26 Oct 2016 at 12:28 Pedro Amorim <a
moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="mailto:pjamorim91@gmail.com"><pjamorim91@gmail.com></a>
wrote:<br>
><br>
>> I have tested this and the stress caused on the
server is very severe. It<br>
>> seems that for every request, a new zebra process
is created and the server<br>
>> will only respond when the last one is finished.
This ofc will result in<br>
>> time outs and eventually a crash in the server.<br>
>><br>
>> This is a major critical issue IMO, anyone who
knows about this has the<br>
>> power to deny the service of any Koha online
without using any additional<br>
>> hacking/attacking software.<br>
>><br>
>> The Koha I'm working on right now - still in
development - is accessed<br>
>> behind a proxy server, and I will attempt to solve
the problem through<br>
>> that, by limiting the requests from the same origin
with very little time<br>
>> between them. Still, even if I'm successful with
this, the problem will<br>
>> still lie in Koha.<br>
>><br>
>> Anyone with some sort of insight is very welcome.<br>
>><br>
>> Pedro Amorim<br>
>><br>
>> 2016-10-26 8:24 GMT+00:00 clint.deckard <a
moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="mailto:clint.deckard@frontiers.co.nz"><clint.deckard@frontiers.co.nz></a>:<br>
>><br>
>>> I have had this issue appear today. I have
attempted to set up<br>
>> mod_evasive<br>
>>> for apache but it doesn't seem to have solved
the problem.<br>
>>> I would really appreciate some advice.<br>
>>> Clint.<br>
>>><br>
>>><br>
>>> rfblanchard wrote:<br>
>>><br>
>>>> Assume a basic opac search:<br>
>>>> <a moz-do-not-send="true"
href="http://..../cgi-bin/koha/opac-search.pl?q=dog&branch_group_l">http://..../cgi-bin/koha/opac-search.pl?q=dog&branch_group_l</a><br>
>>>> imit=branch%3A349<br>
>>>><br>
>>>> This would take about 10 seconds to return
the first time.<br>
>>>><br>
>>>> Assume the user refreshes the results using
f5 and keep there finger<br>
>>>> there a<br>
>>>> moment to long (3s):<br>
>>>> This would kill my server for about 1
minute.<br>
>>>><br>
>>>> Any attacker could easily make the server
unresponsive indefinitely by<br>
>>>> simply holding f5 on an opac search.<br>
>>>><br>
>>>> Any recommendations on how to deal with
this problem?<br>
>>>><br>
>>>> here is a sample from top:<br>
>>>><br>
>>>> Tasks: 313 total, 3 running, 309
sleeping, 0 stopped, 1 zombie<br>
>>>> %Cpu(s): 93.7 us, 5.2 sy, 0.0 ni, 1.0
id, 0.2 wa, 0.0 hi, 0.0 si,<br>
>>>> 0.0<br>
>>>> st<br>
>>>> KiB Mem: 16465036 total, 1532492 used,
14932544 free, 63180 buffers<br>
>>>> KiB Swap: 8526844 total, 0 used,
8526844 free. 505124 cached<br>
>>>> Mem<br>
>>>><br>
>>>> PID USER PR NI VIRT RES
SHR S %CPU %MEM TIME+<br>
>>>> COMMAND<br>
>>>> 7027 peischo+ 20 0 416164 162924
12756 S 58.8 1.0 0:26.43<br>
>>>> /usr/share/koha<br>
>>>> 7009 peischo+ 20 0 416800 163524
12756 S 56.5 1.0 0:33.77<br>
>>>> /usr/share/koha<br>
>>>> 7444 peischo+ 20 0 129832 15216
5900 R 37.2 0.1 0:01.12<br>
>>>> zebrasrv<br>
>>>> 7445 peischo+ 20 0 129832 15216
5900 R 35.6 0.1 0:01.07<br>
>>>> zebrasrv<br>
>>>> 1151 mysql 20 0 886564 181096
10808 S 8.6 1.1 1:27.57<br>
>> mysqld<br>
>>>> 7435 koha 20 0 25892 3272
2528 R 0.3 0.0 0:00.03 top<br>
>>>> 1 root 20 0 176144 5044
3096 S 0.0 0.0 0:01.43<br>
>>>> systemd<br>
>>>> 2 root 20 0 0 0
0 S 0.0 0.0 0:00.00<br>
>>>> kthreadd<br>
>>>><br>
>>>><br>
>>>><br>
>>>> --<br>
>>>> View this message in context: <a
moz-do-not-send="true"
href="http://koha.1045719.n5.nabble">http://koha.1045719.n5.nabble</a>.<br>
>>>> com/F5-Attacks-tp5906098.html<br>
>>>> Sent from the Koha-general mailing list
archive at Nabble.com.<br>
>>>>
_______________________________________________<br>
>>>> Koha mailing list <a
moz-do-not-send="true" href="http://koha-community.org">http://koha-community.org</a><br>
>>>> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:Koha@lists.katipo.co.nz">Koha@lists.katipo.co.nz</a><br>
>>>> <a moz-do-not-send="true"
href="https://lists.katipo.co.nz/mailman/listinfo/koha">https://lists.katipo.co.nz/mailman/listinfo/koha</a><br>
>>>><br>
>>> _______________________________________________<br>
>>> Koha mailing list <a moz-do-not-send="true"
href="http://koha-community.org">http://koha-community.org</a><br>
>>> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:Koha@lists.katipo.co.nz">Koha@lists.katipo.co.nz</a><br>
>>> <a moz-do-not-send="true"
href="https://lists.katipo.co.nz/mailman/listinfo/koha">https://lists.katipo.co.nz/mailman/listinfo/koha</a><br>
>>><br>
>> _______________________________________________<br>
>> Koha mailing list <a moz-do-not-send="true"
href="http://koha-community.org">http://koha-community.org</a><br>
>> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:Koha@lists.katipo.co.nz">Koha@lists.katipo.co.nz</a><br>
>> <a moz-do-not-send="true"
href="https://lists.katipo.co.nz/mailman/listinfo/koha">https://lists.katipo.co.nz/mailman/listinfo/koha</a><br>
>><br>
> _______________________________________________<br>
> Koha mailing list <a moz-do-not-send="true"
href="http://koha-community.org">http://koha-community.org</a><br>
> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:Koha@lists.katipo.co.nz">Koha@lists.katipo.co.nz</a><br>
> <a moz-do-not-send="true"
href="https://lists.katipo.co.nz/mailman/listinfo/koha">https://lists.katipo.co.nz/mailman/listinfo/koha</a><br>
<br>
_______________________________________________<br>
Koha mailing list <a moz-do-not-send="true"
href="http://koha-community.org">http://koha-community.org</a><br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:Koha@lists.katipo.co.nz">Koha@lists.katipo.co.nz</a><br>
<a moz-do-not-send="true"
href="https://lists.katipo.co.nz/mailman/listinfo/koha">https://lists.katipo.co.nz/mailman/listinfo/koha</a><br>
</font>_______________________________________________<br>
Koha-devel mailing list<br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:Koha-devel@lists.koha-community.org">Koha-devel@lists.koha-community.org</a><br>
<a moz-do-not-send="true"
href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel"
eudora="autourl">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a><br>
website : <a moz-do-not-send="true"
href="http://www.koha-community.org/" eudora="autourl">http://www.koha-community.org/</a><br>
git : <a moz-do-not-send="true"
href="http://git.koha-community.org/" eudora="autourl">http://git.koha-community.org/</a><br>
bugs : <a moz-do-not-send="true"
href="http://bugs.koha-community.org/" eudora="autourl">http://bugs.koha-community.org/</a>
</blockquote>
<x-sigsep>
<p> ---<br>
Maritime heritage and history, preservation and
conservation, <br>
research and education through the written word and the
arts.<br>
<<a moz-do-not-send="true"
href="http://navalmarinearchive.com/" eudora="autourl">http://NavalMarineArchive.com</a>>
and <<a moz-do-not-send="true"
href="http://ultramarine.ca/" eudora="autourl">http://UltraMarine.ca</a>><br>
<br>
</p>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Koha-devel mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Koha-devel@lists.koha-community.org">Koha-devel@lists.koha-community.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.koha-community.org/">http://www.koha-community.org/</a>
git : <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://git.koha-community.org/">http://git.koha-community.org/</a>
bugs : <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://bugs.koha-community.org/">http://bugs.koha-community.org/</a></pre>
</x-sigsep></blockquote>
<br>
<pre class="moz-signature" cols="72">--
Arthur SUZUKI
Service informatique des bibliothèques
BIBLIOTHÈQUES UNIVERSITAIRES
Université Jean Moulin Lyon 3
6 Cours Albert Thomas - B.P. 8242 – 69355 Lyon Cedex 08
ligne directe : +33 (0)4 78 78 79 16 | <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://bu.univ-lyon3.fr">http://bu.univ-lyon3.fr</a>
L'Université Jean Moulin est membre fondateur de l'Université de Lyon</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Koha-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Koha-devel@lists.koha-community.org">Koha-devel@lists.koha-community.org</a>
<a class="moz-txt-link-freetext" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a class="moz-txt-link-freetext" href="http://www.koha-community.org/">http://www.koha-community.org/</a>
git : <a class="moz-txt-link-freetext" href="http://git.koha-community.org/">http://git.koha-community.org/</a>
bugs : <a class="moz-txt-link-freetext" href="http://bugs.koha-community.org/">http://bugs.koha-community.org/</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Paul Poulain, Associé-gérant / co-owner
BibLibre, Services en logiciels libres pour les bibliothèques
BibLibre, Open Source software and services for libraries</pre>
</body>
</html>