Session 83
EndUser 07
EZproxy:
Secure it Easily
Todd King – todd.king@eku.edu
http://people.eku.edu/kingt/proxy
Eastern Kentucky University Libraries
1
The problem: systematic downloading
 The solution: secure EZproxy
 The settings: configuration code
 The culprits: tracking them down
 The questions: how/why did they do it?

2
 The problem

Systematic downloading from vendor’s site




all volumes of one title, in short time period
against their terms of service
Through our EZproxy server (uh-oh)
Vendor sent me their log of incident’s time
(compare to EZproxy’s log at same time)
3
 The solution



Stop the downloading quickly
Enable basic security settings
usefulutilities.com/support/example/securing.html
4

The Settings: configuration code
(example)
Put this in the ezproxy.cfg file & restart







Audit Most
AuditPurge 7
Option StatusUser
Option LogSession
IntruderIPAttempts -interval=5 -expires=15 20
IntruderUserAttempts -interval=5 -expires=15 10
UsageLimit -enforce -interval=15 -expires=120 -MB=100 Global
5
 Audit


Examples: Audit Most Login.Success.Groups
Audit Most -Unauthorized
Auditing means recording events
You can choose to log these events:









Most (all those with *)
Login.Success *  successful login to EZproxy
Login.Success.Groups  same as above when using groups
Login.Failure *  unsuccessful login to EZproxy
Login.Intruder.IP *  many failed login attempts happen from same IP
Login.Intruder.User *  many failed login attempts using same username
System *  things like EZproxy startup events & such
Unauthorized *  someone tries (w/out permission) to see /admin page
UsageLimit *  user exceeds UsageLimit settings
6
 AuditPurge


Example: AuditPurge 14
How long to keep records of Audited events
List of Audit files on /audit:
Default is 7 days
List of Audit events on /audit:
7
 Options

Option StatusUser:


Show username on the /status webpage to show who’s online
Option LogSession:

Record session ID to cross-reference the user’s activity with log
List of Sessions (including User and Session ID) on /status:
8
 IntruderIPAttempts
Example: IntruderIPAttempts -interval=5 -expires=15 -reject=50 20

interval
 how long to record activity before taking action

expires
 how long (after last attempt) until their intrusion status is cleared for this IP

reject

#
 if number of login attempts from this IP reaches the number here, within the set
interval, the IP is rejected, & must be manually cleared to allow login again
 how many times the login attempt is made within the interval to initiate the block
9
 IntruderIPAttempts
Example: IntruderIPAttempts -interval=5 -expires=15 -reject=50 20
50 Attempts
IP Rejected – Must be Unblocked Manually
20 Attempts
IP Blocked
5 Minutes
IP Unblocked
15 Minutes
In the example, if the number of attempts from an IP address reaches
20, within the 5 minute interval, the IP is blocked, but then after
attempts stop for 15 minutes, the block expires; if the attempts reach
50 within 5 minutes, the IP is “rejected” – the expires attribute has no
effect, the IP must be manually cleared on the /intrusion page.
10
 IntruderUserAttempts
Example: IntruderUserAttempts -interval=5 -expires=15 10

Same as IntruderIPAttempts but blocks username, not IP address
10 Attempts
5 Minutes
Username Blocked
Username Unblocked
15 Minutes
In the example, if the number of attempts from user reaches 10, within the 5 minute interval,
the username is blocked, but then after attempts stop for 15 minutes, the block expires –
the block can be manually cleared on the /intrusion page before the 15 minutes are up.
List of IPs/Users that have been blocked due to too many failed login attempts
11
 UsageLimit



Detects when user is downloading excessive amounts of content &
automatically blocks the user’s access
Can set the block to expire automatically
Different use limits can be set for certain databases (cool, granular)




enforce  turn UsageLimit on/off (when off, usage is monitored, user not blocked)
interval  how long to record activity before taking action
MB  specify how many megabytes can be downloaded within the interval before blocking user
transfers  number of page requests permitted within the interval before blocking user
 expires  how long (after last attempt) until their intrusion status is cleared for this user
 end  use when making selective usage limits in database list in ezproxy.cfg file
 local  include special EZproxy pages in usage limit
12
 UsageLimit example
Example: UsageLimit -enforce -interval=15 –expires=15 -transfers=2000 -MB=500 Global
2000 Transfers/Requests Made
Username Blocked
Username Unblocked
500 Megabytes Downloaded
Username Blocked
Username Unblocked
15 Minutes
15 Minutes
In the example, if the number of transfers from user reaches 2000 or the user has downloaded more
than 500 MB of material, within the 15 minute interval, the user is blocked. If you don’t have expires,
users must be unblocked manually on the /usagelimits page.
13
 UsageLimit management
The /usagelimits page shows a
summary of your UsageLimit
settings, and a list of current
users and their usage. It also
shows users that have been
suspended. Viewing “all”
suspensions is linked to the audit
files so clicking that will only give
you one week (or whatever you
set in AuditPurge).
14
 UsageLimit w/ different DBs

“Global” refers to the
name of this
UsageLimit setting

You can name it
anything you want
 And you can have
different names to
be used for
different databases
UsageLimit -enforce -MB=100 Global
UsageLimit -enforce -expires=180 -transfers=500 Selective
Title Some Database
URL http://www.somedb.com/
Domain somedb.com
UsageLimit -end Selective
Title Other Database
URL http://www.otherdb.com/
Domain otherdb.com
# You do not need to repeat options
UsageLimit Selective
Title Another Database
URL http://www.anotherdb.com/
Domain anotherdb.com
UsageLimit -end Selective
15
 See log files




Good for viewing all activity – see online at /usage page
Good for analysis of usage (use log analyzer app)
 Mach 5 Analyzer www.mach5.com/products/analyzer/
 Web Log Expert www.weblogexpert.com/lite.htm
Bad for taking up space – make backup methods
Auto-rotate log files with batch file & scheduled task
 www.usefulutilities.com/support/technote/4w.html (Windows)
 www.usefulutilities.com/support/technote/4.html (Linux/Sun)
16





Customize EZproxy Web Pages
On the EZproxy machine, in the docs folder
suspend.html  when users are blocked, they will see this page
reject.html  when users or IP addresses are rejected, they will see this page
needhost.html  users see this when you need to add a Host entry to ezproxy.cfg





I have a message saying to copy the text of the page and email to me
Helps me to capture missed Host entries & get fixed quickly
Can include special EZproxy code to show the URL they were trying to reach
Need to know some basic html: can include links, images, and CSS
customizations including colors and fonts – make it informative
www.usefulutilities.com/support/docs/
17



The culprits: tracking them down
Compare log files (vendor’s / EZproxy’s)
From EZproxy log file

Get IP address
 (can also get session ID, if Option LogSession enabled, to find
username for further investigating within EZproxy)




Take IP to www.arin.net & do “WhoIs” lookup
If not in Americas, try www.ripe.net & do lookup
Change settings to track username (Option StatusUser)
Reject IPs – or just leave in suspended state
18
Visitors during the month of the incident (September 2006)
(Before Security In Place)
¼ of Visitors from China?
19
Visitors currently (February 2007)
(After Security In Place)
Nearly 90% from USA, well, that’s where our students actually live
20
Bandwidth during the month of the incident (September 2006)
(Before Security In Place)
Peak is nearly 9 Gig!
21
Bandwidth currently (February 2007)
(After Security In Place)
Peak is at 1.2 Gig
22





The questions: why did they do it?
Many times legitimate – consider changing your usage limits if
happening a lot
Just need the resource? But why the whole journals/volumes?
Text not available in home country? Censorship? Government?
Just for the hack of it? Black market?
23






The questions: how do they do it?
Bots – programs of mass downloading
Hacking? No …?
Stealing passwords? Yes – crack sites, guessing password,
overheard passwords, passwords obtained by trojan or keylogger,
no password policy at institution, giving passwords willingly
One such crack site (are you in there? scared?):
http://chudeyong.91.tc/resources/aboard.htm
Your questions?
24