IntruderUserAttempts

Why Is This Important?

The IntruderUserAttempts directive offers EZproxy administrators a way to stop and discourage security breaches through continued, computerized trial and error of passwords with a valid username.

When used as an event in combination with the Audit directive, the IntruderUserAttempts directive can help EZproxy administrators to identify compromised usernames and permanently remove those usernames' access to EZproxy.

IntruderUserAttempts is a position-independent config.txt directive that typically appears toward the top. This directive is used to enable intruder detection based on detecting and blocking repeated failed attempts to log in to EZproxy using the same username regardless of source IP address. You can customize the parameters that will cause a user to be blocked based on failed login attempts using the directive qualifiers in the table below.

The basic format for the IntruderUserAttempts directive is as follows:

IntruderUserAttempts -interval=5 -expires=15 10

In this example, if someone tries to log into EZproxy 10 times within a 5 minute period with a valid username and the wrong password, EZproxy will block attempts to login from this account until all such attempts have stopped for 15 minutes.

If you are contacted by a valid user who has been blocked from logging on and wishes to continue trying, you can clear IntruderUserAttempts through the /admin EZproxy administration page.

Qualifiers

The following qualifiers should be added to your IntruderUserAttempts directive to specify when to block a user who repeatedly enters the wrong password for a single username. The italicized word should be replaced with the numerical value you would like to use as a parameter.

Qualifier Description
-interval=minutes Number of minutes in which the count for invalid login attempts for a single username must be reached in order for EZproxy to start blocking all login attempts for the username.
-expires=minutes Number of minutes which must pass with no further login attempts for a blocked username before EZproxy will stop blocking login attempts for that username.
count Number of login attempts for a username using the wrong password that must occur during the -interval before EZproxy starts blocking all login attempts for that username.

Advanced Example

An example of how to combine all of the security features of EZproxy appears at Securing Your EZproxy Server .

 

If you are uncertain about initial security configurations to use with the IntruderUserAttempts directive, you can begin with the following:

IntruderUserAttempts -interval=5 -expires=15 10

This will provide you with a baseline security setting that will block any user who enters the wrong password for a single username incorrectly 10 times within a 5 minute period of time. After 15 minutes, if no more attempts to log in are made with the blocked username, EZproxy will no longer block it. These are good baseline parameters to use because users legitimately forget passwords, and these timeframes and limits allow them a sufficient amount of time to test several passwords, and if they fail to enter the correct credentials in this time period, they have to wait only 15 minutes before trying again.

After this directive has been added to your config.txt file, you can monitor IntruderUserAttempts in your audit logs from your admin page by clicking on the View audit events link. You will see a table similar to the following:

Date/Time Event IP Location Username Session Other
11:00:17 System         Startup
11:00:17 System         Purged audit file 20140930.txt
11:00:56 Login.Success 127.0.0.1 US OH Dublin admin ypAvVbCo28nsw7y  
11:04:00 Login.Intruder.User 123.456.789.101 US OH Dublin baduser ghAvILFw30lwk09  
11:10:45 Login.Success 123.789.101.112 US OH Dublin gooduser ifJlwElwo50jkl19  
12:20:00 Login.Intruder.User 123.456.789.101 US OH Dublin
baduser poWlQJ92xjl0ad7  
11:24:54 Login.Success 123.123.123.123 US OH Dublin
gooduser2 kIlwkEpoq90el8p  
1:20:21 Login.Success 123.123.456.456 US OH Dublin gooduser3 riOwLF82DjZHgnd2  

Look for any events labelled Login.Intruder.User. If you see repeated blocked logins from the same username, you may first want to determine if this IP address and user is a valid user who is having difficulty understanding and logging in to you EZproxy resources. If you determine that this is not a legitimate user, you may want to consider removing this username from your user.txt file or contact your IT department to consult with them on this username.

Escalating Your Security Parameters

 

The following directives interact with or control functions related to this directive:

IntruderIPAttempts