IntruderIPAttempts

Why Is This Important?

The IntruderIPAttempts directive offers EZproxy administrators a simple and powerful security configuration option to limit unauthorized users from accessing resources through repeated attempts to generate valid credentials. At the same time, it allows room for the possibility that a legitimate user has forgotten their credentials and should not be locked out of the system completely.

When used as an event in combination with the Audit directive, the IntruderIPAttempts directive can help EZproxy administrators to identify compromises to EZproxy security and place stronger security protocols in place to prevent that security threat.

IntruderIPAttempts is a position-independent config.txt directive that typically appears toward the top. This directive is used to enable intruder detection based on source IP address to enhance EZproxy security. You can customize the parameters that will cause a user to be blocked from EZproxy based on invalid credentials and IP address using the directive qualifiers in the table below.

The basic format for the IntruderIPAttempts directive is as follows:

IntruderIPAttempts -interval=5 -expires=15 20

In this example, if someone tries to log in to EZproxy with invalid information more than 20 times within a 5 minute interval from the same IP address, EZproxy will start evading further login attempts and will note the intrusion attempt to messages.txtor the audit log if Audit Most is configured. If 15 minutes pass with no further login attempts, EZproxy clears the intrusion status and allows users to log in from this IP address again.

The following directive statement extends the first by adding a rejection level:

IntruderIPAttempts -interval=5 -expires=15 -reject=100 20

In this example, if the number of invalid login attempts from an IP address reaches 100 within the 5 minute interval, the IP address will be treated as a RejectIP addresses, blocking further access from that address. Unlike the intrusion level, when the rejection level is reached, the restriction does not clear automatically. It must be manually cleared from the /admin EZproxy administration page option to view and clear intrusion attempts.

Note: This directive replaced the IntruderAttempts and IntruderTimeout directives.

Qualifiers

The following qualifiers should be added to your IntruderIPAttempts directive to specify when to block a user who repeatedly attempts to use invalid credentials from the same IP address. The italicized word should be replaced with the numerical value you would like to use as a parameter.

Qualifier Description
-interval=minutes Number of minutes in which the count from an IP address must be reached in order for EZproxy to start blocking all login attempts from that address.
-expires=minutes Number of minutes which must pass with no further login attempts from a blocked IP address before EZproxy will stop blocking login attempts from that address.
count Number of login attempts from an IP address using invalid informaiton that must occur during the -interval before EZproxy starts blocking all login attempts from that address.

Additional Options

Option Description
-reject=rejectcount Number of login attempts from an IP address using invalid information that must be reached during the -interval before EZproxy treats the IP address as a RejectIP address, blocking all further logins from that address until the restriction is manually cleared using the option on the EZproxy Administration Page.
 

If you are uncertain about initial security configurations to use with the IntruderIPAttempts directive, you can begin with the following:

IntruderIPAttempts -interval=5 -expires=15 20

This will provide you with a baseline security setting that will block any user who tries to log in from a single IP address with invalid information more than 20 times within a 5 minute period of time. After 15 minutes, if no other users attempt to log in from that IP address, EZproxy will no longer block users from that IP address. These are good baseline parameters to use because users legitimately forget passwords, and these timeframes and limits allow them a sufficient amount of time to test several passwords, and if they fail to enter the correct credentials in this time period, they have to wait only 15 minutes to try again.

After this directive has been added to your config.txt file, you should also add Audit Most to your config.txt file so you can monitor your audit logs from your admin page by clicking on the View audit events link. You will see a table similar to the following:

Date/Time Event IP Location Username Session Other
11:00:17 System         Startup
11:00:17 System         Purged audit file 20140930.txt
11:00:56 Login.Success 127.0.0.1 US OH Dublin admin ypAvVbCo28nsw7y  
11:04:00 Login.Intruder.IP 123.456.789.101 US OH Dublin baduser ghAvILFw30lwk09  
11:10:45 Login.Success 123.789.101.112 US OH Dublin gooduser ifJlwElwo50jkl19  
12:20:00 Login.Intruder.IP 123.456.789.101 US OH Dublin
baduser poWlQJ92xjl0ad7  
11:24:54 Login.Success 123.123.123.123 US OH Dublin
gooduser2 kIlwkEpoq90el8p  
1:20:21 Login.Success 123.123.456.456 US OH Dublin gooduser3 riOwLF82DjZHgnd2  

Look for any events labelled Login.Intruder.IP. If you see repeated blocked logins from the same IP address, you may first want to determine if this IP address and user is a valid user who is having difficulty understanding and logging in to your EZproxy resources. If you determine that this is not a legitimate user, you may want to consider adding a -reject= qualifier to your directive statement so that a user who repeatedly tries to login from a specific IP address with invalid credentials will be blocked as if that IP address were configured as a RejectIP. Your directive statement for this configuration should be as follows:

IntruderIPAttempts -interval=5 -expires=15 -reject=100 20

This will maintain the same parameters from blocking as above, but will place a continuous block on the offending IP address that must be cleared manually from the /admin EZproxy administration page. If you find that one particular IP address continues to cause problems, you might want to add a RejectIP for that address to block it permanently.

 

 

The following directives interact with or control functions related to this directive:

Audit
IntruderUserAttempts
RejectIP
 

This page last revised: March 2, 2015