butler - security lessons learned from an ezproxy admin

Ball State University

Security Lessons Learned from an EZproxy Administrator

Paul R Butler

• What is EZproxy?• Why Talk About EZproxy?• What are we trying to identify?• Tools of the Trade• A Review of EZproxy Log Files• A Review of a Few EZproxy Security Features• Performing a Security Audit with EZproxy• Post Review Activities• Advanced Tools• Some Security Lessons Learned• Next Steps• Questions?

Presentation Outline


EZproxy is a web proxy server used by libraries to give access from outside the library's computer network to restricted-access websites that authenticate users by IP address. This allows library patrons at home or elsewhere to log in through their library's EZproxy server and gain access to bibliographic databases and the like to which their library subscribes.

What is EZproxy?


- From the Ezproxy Wikipedia article on 2016-11-11. https://en.wikipedia.org/wiki/EZproxy

• Large market share in the industry

• The canary in the coal mine

• Talking about EZproxy’s capabilities with publishers & vendors improves communication down the road

• Lessons learned can be useful in other products

Why talk about EZproxy?


• Different type of compromised accounts• The Vacuum

• Scripted Attack• The Lone Wolf

• Individual User• The Swarm

• Individual User That Gets Shared

• IP addresses

• Referrers

What are we trying to identify?


• ILS, Banner, Social Media (LinkedIn), etc.

• IP Address Geolocation Information • MaxMind - https://www.maxmind.com • Aggregate geolocation website - https://www.iplocation.net

• Grep & Regular Expressions (regex)

• Cygwin on a Windows machine• https://www.cygwin.com

• NotePad++, Excel, Access, etc.• https://notepad-plus-plus.org

Tools of the Trade


A Review of EZproxy Log Files


Ex: \audit\20161111.txt

A Review of EZproxy Log Files, continued


• Ex: ezproxy201611.log

• 102.XX.XX.XXX 8MxydoKBwdLhVE1 USERNAME [08/Nov/2016:09:41:06 -0500] "GET http://bsu.summon.serialssolutions.com:80/ HTTP/1.1" 200 17180 "http://www.rclweb.net.proxy.bsu.edu/TitleDetail/DetailedView?hreciid=|7861093|53073089&mc=USA&ht=1&click=newtitle"

• 102.XX.XX.XXX 8MxydoKBwdLhVE1 USERNAME [08/Nov/2016:09:41:11 -0500] "GET http://bsu.summon.serialssolutions.com:80/api/search?pn=1&ho=t&fvf%5B%5D=SourceType%2CLibrary+Catalog%2Cf&l=en&q=Technical+Communication HTTP/1.1" 200 14010 "http://bsu.summon.serialssolutions.com.proxy.bsu.edu/"

• 102.XX.XX.XXX 8MxydoKBwdLhVE1 USERNAME [08/Nov/2016:09:41:27 -0500] "GET http://bsu.summon.serialssolutions.com:80/2.0.0/availability/SB6NW2TX4E?s.id=KGK+778758&s.id=KGK+1136745&s.id=KGK+1669664&s.id=KGK+1589219&s.id=KGK+417000&s.id=KGK+1277155&s.id=KGK+221368&s.id=KGK+244958&s.id=KGK+527175&s.id=KGK+23691&uilang=en HTTP/1.1" 200 7621 "http://bsu.summon.serialssolutions.com.proxy.bsu.edu/"

• Audit Most• Audit Session.IPChange• IntruderIPAttempts• IntruderUserAttempts• Location• LogFormat• Option BlockCountryChange• UsageLimit

A Review of a Few EZproxy Security Features


Performing a Security Audit with EZproxy


• Events• IP• Location• Username• Other

Performing a Security Audit with EZproxy, continued


• Events• IP• Location• Username• Other

• Add items from the audit files to my notes file as needed.

• Block users from EZproxy that I have deemed compromised. Terminate active sessions.

• Block IP addresses and referrers from EZproxy that were used for illegitimate activity.

• Report compromised user accounts to the University’s security team.

• Report IP addresses from other institutions used for illegitimate activity to that institution.

• Report IP addresses used for illegitimate activity to the Ezproxy IP Blacklist.

Post Review Activities


• EZproxy conditionals• IfCountry • IfIP

• https://github.com/prbutler/EZProxy_IP_Blacklist• IfReferer

• Daily audit file analysis• EZProxy Audit Log Email Script• https://github.com/prbutler/EZProxy_Audit_Log_Email_Script

• Web server log file analysis• Ex: EzPAARSE - http://ezpaarse.couperin.org

• Real-time log file analysis• Code4Lib article “A Novel Open Source Approach to Monitor EZproxy Users’ Activities”

Advanced Tools


• Take geolocation information with a heaping pile of salt.

• Honeypots are a good thing.

• Failed attempts are valuable information; learn from compromised access.

• You can find a good balance for usage limits, but one size does not fit all vendors and users.

• Get familiar with your users and their behaviors.

• You will need to invest time and resources.

• Automate what you can, but humans are still useful.

Some Security Lessons Learned


• Expand the conversation

• Increase the dialogues we are already having

• EZproxy listserv• [email protected]• http://www.oclc.org/support/services/ezproxy/documentation/list.en.html

• Thank you to NISO, the other speakers, and those listening.

Next Steps


Questions?


Paul R Butler

Library Technologies Support Analyst @ Ball State University

[email protected]

butler - security lessons learned from an ezproxy admin

Education