Butler - Security Lessons Learned from an Ezproxy Admin
2 likes1,117 views
This document outlines a presentation about lessons learned from auditing EZproxy logs as an EZproxy administrator. EZproxy is a web proxy server used by libraries to provide remote access to restricted resources. The presentation covers what EZproxy is, reviewing EZproxy log files and security features, performing a security audit, post-review activities, advanced tools, and security lessons learned. Key points include taking geolocation data with skepticism, the value of failed login attempts, finding balance with usage limits, and automating auditing while still using human judgment.
![A Review of EZproxy Log Files, continued
Ball State University
• Ex: ezproxy201611.log
• 102.XX.XX.XXX 8MxydoKBwdLhVE1 USERNAME [08/Nov/2016:09:41:06 -0500] "GET
http://bsu.summon.serialssolutions.com:80/ HTTP/1.1" 200 17180
"http://www.rclweb.net.proxy.bsu.edu/TitleDetail/DetailedView?hreciid=|7861093|53073089&mc=U
SA&ht=1&click=newtitle"
• 102.XX.XX.XXX 8MxydoKBwdLhVE1 USERNAME [08/Nov/2016:09:41:11 -0500] "GET
http://bsu.summon.serialssolutions.com:80/api/search?pn=1&ho=t&fvf%5B%5D=SourceType%2CL
ibrary+Catalog%2Cf&l=en&q=Technical+Communication HTTP/1.1" 200 14010
"http://bsu.summon.serialssolutions.com.proxy.bsu.edu/"
• 102.XX.XX.XXX 8MxydoKBwdLhVE1 USERNAME [08/Nov/2016:09:41:27 -0500] "GET
http://bsu.summon.serialssolutions.com:80/2.0.0/availability/SB6NW2TX4E?s.id=KGK+778758&s.i
d=KGK+1136745&s.id=KGK+1669664&s.id=KGK+1589219&s.id=KGK+417000&s.id=KGK+12771
55&s.id=KGK+221368&s.id=KGK+244958&s.id=KGK+527175&s.id=KGK+23691&uilang=en
HTTP/1.1" 200 7621 "http://bsu.summon.serialssolutions.com.proxy.bsu.edu/"](https://image.slidesharecdn.com/butler-nov16-161116200143/85/Butler-Security-Lessons-Learned-from-an-Ezproxy-Admin-8-320.jpg)
Butler - Security Lessons Learned from an Ezproxy Admin
- 1. Ball State University Security Lessons Learned from an EZproxy Administrator Paul R Butler
- 2. • What is EZproxy? • Why Talk About EZproxy? • What are we trying to identify? • Tools of the Trade • A Review of EZproxy Log Files • A Review of a Few EZproxy Security Features • Performing a Security Audit with EZproxy • Post Review Activities • Advanced Tools • Some Security Lessons Learned • Next Steps • Questions? Presentation Outline Ball State University
- 3. EZproxy is a web proxy server used by libraries to give access from outside the library's computer network to restricted-access websites that authenticate users by IP address. This allows library patrons at home or elsewhere to log in through their library's EZproxy server and gain access to bibliographic databases and the like to which their library subscribes. What is EZproxy? Ball State University - From the Ezproxy Wikipedia article on 2016-11-11. https://en.wikipedia.org/wiki/EZproxy
- 4. • Large market share in the industry • The canary in the coal mine • Talking about EZproxy’s capabilities with publishers & vendors improves communication down the road • Lessons learned can be useful in other products Why talk about EZproxy? Ball State University
- 5. • Different type of compromised accounts • The Vacuum • Scripted Attack • The Lone Wolf • Individual User • The Swarm • Individual User That Gets Shared • IP addresses • Referrers What are we trying to identify? Ball State University
- 6. • ILS, Banner, Social Media (LinkedIn), etc. • IP Address Geolocation Information • MaxMind - https://www.maxmind.com • Aggregate geolocation website - https://www.iplocation.net • Grep & Regular Expressions (regex) • Cygwin on a Windows machine • https://www.cygwin.com • NotePad++, Excel, Access, etc. • https://notepad-plus-plus.org Tools of the Trade Ball State University
- 7. A Review of EZproxy Log Files Ball State University Ex: audit20161111.txt
- 8. A Review of EZproxy Log Files, continued Ball State University • Ex: ezproxy201611.log • 102.XX.XX.XXX 8MxydoKBwdLhVE1 USERNAME [08/Nov/2016:09:41:06 -0500] "GET http://bsu.summon.serialssolutions.com:80/ HTTP/1.1" 200 17180 "http://www.rclweb.net.proxy.bsu.edu/TitleDetail/DetailedView?hreciid=|7861093|53073089&mc=U SA&ht=1&click=newtitle" • 102.XX.XX.XXX 8MxydoKBwdLhVE1 USERNAME [08/Nov/2016:09:41:11 -0500] "GET http://bsu.summon.serialssolutions.com:80/api/search?pn=1&ho=t&fvf%5B%5D=SourceType%2CL ibrary+Catalog%2Cf&l=en&q=Technical+Communication HTTP/1.1" 200 14010 "http://bsu.summon.serialssolutions.com.proxy.bsu.edu/" • 102.XX.XX.XXX 8MxydoKBwdLhVE1 USERNAME [08/Nov/2016:09:41:27 -0500] "GET http://bsu.summon.serialssolutions.com:80/2.0.0/availability/SB6NW2TX4E?s.id=KGK+778758&s.i d=KGK+1136745&s.id=KGK+1669664&s.id=KGK+1589219&s.id=KGK+417000&s.id=KGK+12771 55&s.id=KGK+221368&s.id=KGK+244958&s.id=KGK+527175&s.id=KGK+23691&uilang=en HTTP/1.1" 200 7621 "http://bsu.summon.serialssolutions.com.proxy.bsu.edu/"
- 9. • Audit Most • Audit Session.IPChange • IntruderIPAttempts • IntruderUserAttempts • Location • LogFormat • Option BlockCountryChange • UsageLimit A Review of a Few EZproxy Security Features Ball State University
- 10. Performing a Security Audit with EZproxy Ball State University • Events • IP • Location • Username • Other
- 11. Performing a Security Audit with EZproxy, continued Ball State University • Events • IP • Location • Username • Other
- 12. Performing a Security Audit with EZproxy, continued Ball State University • Events • IP • Location • Username • Other
- 13. Performing a Security Audit with EZproxy, continued Ball State University • Events • IP • Location • Username • Other
- 14. Performing a Security Audit with EZproxy, continued Ball State University • Events • IP • Location • Username • Other
- 15. • Add items from the audit files to my notes file as needed. • Block users from EZproxy that I have deemed compromised. Terminate active sessions. • Block IP addresses and referrers from EZproxy that were used for illegitimate activity. • Report compromised user accounts to the University’s security team. • Report IP addresses from other institutions used for illegitimate activity to that institution. • Report IP addresses used for illegitimate activity to the Ezproxy IP Blacklist. Post Review Activities Ball State University
- 16. • EZproxy conditionals • IfCountry • IfIP • https://github.com/prbutler/EZProxy_IP_Blacklist • IfReferer • Daily audit file analysis • EZProxy Audit Log Email Script • https://github.com/prbutler/EZProxy_Audit_Log_Email_Script • Web server log file analysis • Ex: EzPAARSE - http://ezpaarse.couperin.org • Real-time log file analysis • Code4Lib article “A Novel Open Source Approach to Monitor EZproxy Users’ Activities” Advanced Tools Ball State University
- 17. • Take geolocation information with a heaping pile of salt. • Honeypots are a good thing. • Failed attempts are valuable information; learn from compromised access. • You can find a good balance for usage limits, but one size does not fit all vendors and users. • Get familiar with your users and their behaviors. • You will need to invest time and resources. • Automate what you can, but humans are still useful. Some Security Lessons Learned Ball State University
- 18. • Expand the conversation • Increase the dialogues we are already having • EZproxy listserv • ezproxy-request@ls.suny.edu • http://www.oclc.org/support/services/ezproxy/documentation/list.en.html • Thank you to NISO, the other speakers, and those listening. Next Steps Ball State University
- 19. Questions? Ball State University Paul R Butler Library Technologies Support Analyst @ Ball State University PRBUTLER@BSU.EDU