butler - security lessons learned from an ezproxy admin
TRANSCRIPT
Ball State University
Security Lessons Learned from an EZproxy Administrator
Paul R Butler
• What is EZproxy?• Why Talk About EZproxy?• What are we trying to identify?• Tools of the Trade• A Review of EZproxy Log Files• A Review of a Few EZproxy Security Features• Performing a Security Audit with EZproxy• Post Review Activities• Advanced Tools• Some Security Lessons Learned• Next Steps• Questions?
Presentation Outline
Ball State University
EZproxy is a web proxy server used by libraries to give access from outside the library's computer network to restricted-access websites that authenticate users by IP address. This allows library patrons at home or elsewhere to log in through their library's EZproxy server and gain access to bibliographic databases and the like to which their library subscribes.
What is EZproxy?
Ball State University
- From the Ezproxy Wikipedia article on 2016-11-11. https://en.wikipedia.org/wiki/EZproxy
• Large market share in the industry
• The canary in the coal mine
• Talking about EZproxy’s capabilities with publishers & vendors improves communication down the road
• Lessons learned can be useful in other products
Why talk about EZproxy?
Ball State University
• Different type of compromised accounts• The Vacuum
• Scripted Attack• The Lone Wolf
• Individual User• The Swarm
• Individual User That Gets Shared
• IP addresses
• Referrers
What are we trying to identify?
Ball State University
• ILS, Banner, Social Media (LinkedIn), etc.
• IP Address Geolocation Information • MaxMind - https://www.maxmind.com • Aggregate geolocation website - https://www.iplocation.net
• Grep & Regular Expressions (regex)
• Cygwin on a Windows machine• https://www.cygwin.com
• NotePad++, Excel, Access, etc.• https://notepad-plus-plus.org
Tools of the Trade
Ball State University
A Review of EZproxy Log Files
Ball State University
Ex: \audit\20161111.txt
A Review of EZproxy Log Files, continued
Ball State University
• Ex: ezproxy201611.log
• 102.XX.XX.XXX 8MxydoKBwdLhVE1 USERNAME [08/Nov/2016:09:41:06 -0500] "GET http://bsu.summon.serialssolutions.com:80/ HTTP/1.1" 200 17180 "http://www.rclweb.net.proxy.bsu.edu/TitleDetail/DetailedView?hreciid=|7861093|53073089&mc=USA&ht=1&click=newtitle"
• 102.XX.XX.XXX 8MxydoKBwdLhVE1 USERNAME [08/Nov/2016:09:41:11 -0500] "GET http://bsu.summon.serialssolutions.com:80/api/search?pn=1&ho=t&fvf%5B%5D=SourceType%2CLibrary+Catalog%2Cf&l=en&q=Technical+Communication HTTP/1.1" 200 14010 "http://bsu.summon.serialssolutions.com.proxy.bsu.edu/"
• 102.XX.XX.XXX 8MxydoKBwdLhVE1 USERNAME [08/Nov/2016:09:41:27 -0500] "GET http://bsu.summon.serialssolutions.com:80/2.0.0/availability/SB6NW2TX4E?s.id=KGK+778758&s.id=KGK+1136745&s.id=KGK+1669664&s.id=KGK+1589219&s.id=KGK+417000&s.id=KGK+1277155&s.id=KGK+221368&s.id=KGK+244958&s.id=KGK+527175&s.id=KGK+23691&uilang=en HTTP/1.1" 200 7621 "http://bsu.summon.serialssolutions.com.proxy.bsu.edu/"
• Audit Most• Audit Session.IPChange• IntruderIPAttempts• IntruderUserAttempts• Location• LogFormat• Option BlockCountryChange• UsageLimit
A Review of a Few EZproxy Security Features
Ball State University
Performing a Security Audit with EZproxy
Ball State University
• Events• IP• Location• Username• Other
Performing a Security Audit with EZproxy, continued
Ball State University
• Events• IP• Location• Username• Other
Performing a Security Audit with EZproxy, continued
Ball State University
• Events• IP• Location• Username• Other
Performing a Security Audit with EZproxy, continued
Ball State University
• Events• IP• Location• Username• Other
Performing a Security Audit with EZproxy, continued
Ball State University
• Events• IP• Location• Username• Other
• Add items from the audit files to my notes file as needed.
• Block users from EZproxy that I have deemed compromised. Terminate active sessions.
• Block IP addresses and referrers from EZproxy that were used for illegitimate activity.
• Report compromised user accounts to the University’s security team.
• Report IP addresses from other institutions used for illegitimate activity to that institution.
• Report IP addresses used for illegitimate activity to the Ezproxy IP Blacklist.
Post Review Activities
Ball State University
• EZproxy conditionals• IfCountry • IfIP
• https://github.com/prbutler/EZProxy_IP_Blacklist• IfReferer
• Daily audit file analysis• EZProxy Audit Log Email Script• https://github.com/prbutler/EZProxy_Audit_Log_Email_Script
• Web server log file analysis• Ex: EzPAARSE - http://ezpaarse.couperin.org
• Real-time log file analysis• Code4Lib article “A Novel Open Source Approach to Monitor EZproxy Users’ Activities”
Advanced Tools
Ball State University
• Take geolocation information with a heaping pile of salt.
• Honeypots are a good thing.
• Failed attempts are valuable information; learn from compromised access.
• You can find a good balance for usage limits, but one size does not fit all vendors and users.
• Get familiar with your users and their behaviors.
• You will need to invest time and resources.
• Automate what you can, but humans are still useful.
Some Security Lessons Learned
Ball State University
• Expand the conversation
• Increase the dialogues we are already having
• EZproxy listserv• [email protected]• http://www.oclc.org/support/services/ezproxy/documentation/list.en.html
• Thank you to NISO, the other speakers, and those listening.
Next Steps
Ball State University
Questions?
Ball State University
Paul R Butler
Library Technologies Support Analyst @ Ball State University