250 likes | 469 Views
Session 83 EndUser 07. EZproxy: Secure it Easily. Todd King – todd.king@eku.edu http://people.eku.edu/kingt/proxy Eastern Kentucky University Libraries. The problem : systematic downloading The solution : secure EZproxy The settings : configuration code The culprits : tracking them down
E N D
Session 83 EndUser 07 EZproxy:Secure it Easily Todd King – todd.king@eku.edu http://people.eku.edu/kingt/proxy Eastern Kentucky University Libraries
The problem: systematic downloading • The solution: secure EZproxy • The settings: configuration code • The culprits: tracking them down • The questions: how/why did they do it?
The problem • Systematic downloading from vendor’s site • all volumes of one title, in short time period • against their terms of service • Through our EZproxy server (uh-oh) • Vendor sent me their log of incident’s time (compare to EZproxy’s log at same time)
The solution • Stop the downloading quickly • Enable basic security settings • usefulutilities.com/support/example/securing.html
The Settings: configuration code(example) Put this in the ezproxy.cfg file & restart • Audit Most • AuditPurge 7 • Option StatusUser • Option LogSession • IntruderIPAttempts -interval=5 -expires=15 20 • IntruderUserAttempts -interval=5 -expires=15 10 • UsageLimit -enforce -interval=15 -expires=120 -MB=100 Global
Audit Examples: Audit Most Login.Success.Groups Audit Most -Unauthorized • Auditing means recording events • You can choose to log these events: • Most (all those with *) • Login.Success * successful login to EZproxy • Login.Success.Groups same as above when using groups • Login.Failure * unsuccessful login to EZproxy • Login.Intruder.IP * many failed login attempts happen from same IP • Login.Intruder.User * many failed login attempts using same username • System * things like EZproxy startup events & such • Unauthorized * someone tries (w/out permission) to see /admin page • UsageLimit * user exceeds UsageLimit settings
AuditPurge Example: AuditPurge 14 • How long to keep records of Audited events • Default is 7 days List of Audit files on /audit: List of Audit events on /audit:
Options • Option StatusUser: • Show username on the /status webpage to show who’s online • Option LogSession: • Record session ID to cross-reference the user’s activity with log List of Sessions (including User and Session ID) on /status:
IntruderIPAttempts Example: IntruderIPAttempts -interval=5 -expires=15 -reject=50 20 • interval how long to record activity before taking action • expires how long (after last attempt) until their intrusion status is cleared for this IP • rejectif number of login attempts from this IP reaches the number here, within the set interval, the IP is rejected, & must be manually cleared to allow login again • # how many times the login attempt is made within the interval to initiate the block
IntruderIPAttempts Example: IntruderIPAttempts -interval=5 -expires=15 -reject=50 20 50 Attempts IP Rejected – Must be Unblocked Manually 20 Attempts IP Blocked IP Unblocked 5 Minutes 15 Minutes In the example, if the number of attempts from an IP address reaches 20, within the 5 minute interval, the IP is blocked, but then after attempts stop for 15 minutes, the block expires; if the attempts reach 50 within 5 minutes, the IP is “rejected” – the expires attribute has no effect, the IP must be manually cleared on the /intrusion page.
IntruderUserAttempts Example: IntruderUserAttempts -interval=5 -expires=15 10 • Same as IntruderIPAttempts but blocks username, not IP address 10 Attempts Username Blocked Username Unblocked 5 Minutes 15 Minutes In the example, if the number of attempts from user reaches 10, within the 5 minute interval, the username is blocked, but then after attempts stop for 15 minutes, the block expires – the block can be manually cleared on the /intrusion page before the 15 minutes are up. List of IPs/Users that have been blocked due to too many failed login attempts
UsageLimit • Detects when user is downloading excessive amounts of content & automatically blocks the user’s access • Can set the block to expire automatically • Different use limits can be set for certain databases (cool, granular) • enforce turn UsageLimit on/off (when off, usage is monitored, user not blocked) • interval how long to record activity before taking action • MB specify how many megabytes can be downloaded within the interval before blocking user • transfers number of page requests permitted within the interval before blocking user • expires how long (after last attempt) until their intrusion status is cleared for this user • end use when making selective usage limits in database list in ezproxy.cfg file • local include special EZproxy pages in usage limit
UsageLimit example Example: UsageLimit -enforce -interval=15 –expires=15 -transfers=2000 -MB=500 Global 2000 Transfers/Requests Made Username Blocked Username Unblocked 500 Megabytes Downloaded Username Blocked Username Unblocked 15 Minutes 15 Minutes In the example, if the number of transfers from user reaches 2000 or the user has downloaded more than 500 MB of material, within the 15 minute interval, the user is blocked. If you don’t have expires, users must be unblocked manually on the /usagelimits page.
UsageLimit management The /usagelimits page shows a summary of your UsageLimit settings, and a list of current users and their usage. It also shows users that have been suspended. Viewing “all” suspensions is linked to the audit files so clicking that will only give you one week (or whatever you set in AuditPurge).
UsageLimit w/ different DBs UsageLimit -enforce -MB=100 Global UsageLimit -enforce -expires=180 -transfers=500 Selective Title Some Database URL http://www.somedb.com/ Domain somedb.com UsageLimit -end Selective Title Other Database URL http://www.otherdb.com/ Domain otherdb.com # You do not need to repeat options UsageLimit Selective Title Another Database URL http://www.anotherdb.com/ Domain anotherdb.com UsageLimit -end Selective • “Global” refers to the name of this UsageLimit setting • You can name it anything you want • And you can have different names to be used for different databases
See log files • Good for viewing all activity – see online at /usage page • Good for analysis of usage (use log analyzer app) • Mach 5 Analyzer www.mach5.com/products/analyzer/ • Web Log Expert www.weblogexpert.com/lite.htm • Bad for taking up space – make backup methods • Auto-rotate log files with batch file & scheduled task • www.usefulutilities.com/support/technote/4w.html (Windows) • www.usefulutilities.com/support/technote/4.html (Linux/Sun)
Customize EZproxy Web Pages • On the EZproxy machine, in the docs folder • suspend.html when users are blocked, they will see this page • reject.html when users or IP addresses are rejected, they will see this page • needhost.html users see this when you need to add a Host entry to ezproxy.cfg • I have a message saying to copy the text of the page and email to me • Helps me to capture missed Host entries & get fixed quickly • Can include special EZproxy code to show the URL they were trying to reach • Need to know some basic html: can include links, images, and CSS customizations including colors and fonts – make it informative • www.usefulutilities.com/support/docs/
The culprits: tracking them down • Compare log files (vendor’s / EZproxy’s) • From EZproxy log file • Get IP address • (can also get session ID, if Option LogSession enabled, to find username for further investigating within EZproxy) • Take IP to www.arin.net & do “WhoIs” lookup • If not in Americas, try www.ripe.net & do lookup • Change settings to track username (Option StatusUser) • Reject IPs – or just leave in suspended state
Visitors during the month of the incident (September 2006) (Before Security In Place) ¼ of Visitors from China?
Visitors currently (February 2007) (After Security In Place) Nearly 90% from USA, well, that’s where our students actually live
Bandwidth during the month of the incident (September 2006) (Before Security In Place) Peak is nearly 9 Gig!
Bandwidth currently (February 2007) (After Security In Place) Peak is at 1.2 Gig
The questions: why did they do it? • Many times legitimate – consider changing your usage limits if happening a lot • Just need the resource? But why the whole journals/volumes? • Text not available in home country? Censorship? Government? • Just for the hack of it? Black market?
The questions: how do they do it? • Bots – programs of mass downloading • Hacking? No …? • Stealing passwords? Yes – crack sites, guessing password, overheard passwords, passwords obtained by trojan or keylogger, no password policy at institution, giving passwords willingly • One such crack site (are you in there? scared?): http://chudeyong.91.tc/resources/aboard.htm • Your questions?