- Product: Aleph
- Product Version: 20, 21, 22, 23
- Relevant for Installation Type: Dedicated-Direct, Direct, Local, Total Care
Our system is very slow and OPAC users are seeing the message: "The requested file was not found on the server. Please contact the library administration and inform them about this problem "
The following message is appearing in the www_server log: "Error: License limit exceeded", and we see the
following "HeyAlephIgnoreThis" search coming from about 100 different IP addresses:
How can we stop this?
The "License limit exceeded" message is discussed, generally, in the article "Opac not accessible, error
'License limit exceeded' ". The case where the attack is coming from multiple IP addresses is more
complicated. There can be various ways (botnets, compromised PC's, etc.) that an attacker can generate
transactions from different IP addresses.
In most cases, if there are 100,000 transactions, they won't be coming from 100,000 IP addresses, but certain
IP addresses will have large numbers. The following SQL can be used to determine what IP addresses the most
transactions are coming from:
> s+ vir01
vir01@ALEPH23> select Z63_CLIENT_ADDRESS, count(*) from z63 group by Z63_CLIENT_ADDRESS order by count(*) asc;
IP addresses with hundreds of z63 (session) records are probably not normal activity. You can try blocking
these individually with the firewall or server_ip_allowed, as described in the general article.
But there may be too many for this to be practical. What one site did, as a temporary measure, was to create
a "whitelist", that is, a list of allowed IP addresses -- basically some campus IP address ranges -- and to
deny other IP addresses. This is what that would look like in server_ip_allowed:
W A 123.456.789.*
W A 657.43.235.*
(Note: There no need for a "W D *.*.*.*" line. See Additional Information below.)
The disadvantage to this is, of course, that legitimate off-campus users will be denied access.
This issue is currently (April 6, 2017) being looked at by the Ex Libris Security Team (Jira SEC-238).
One site added a
containing a distinctive element of the request string the attacker was using to their ./apache/conf/httpd.conf file. This succeeded in blocking the vast majority of the transactions. Contact firstname.lastname@example.org for more information.
Note: The default is for IP addresses to be denied unless they are specifically allowed. The "D" is used in a case where you want to allow all IP addresses except a few, such as:
W D 352.43.235.*
W D 957.4.37.*
W A *.*.*.*
- Article last edited: 12-Mar-2017