Manage EZproxy

  • Securing Your EZproxy Server

Securing Your EZproxy Server

The following lists provide general best practice suggestions for securing your EZproxy server.

General Security Principles (Not just for EZproxy)

Strong username/password policies with periodic changes to passwords are essential for good security. If you do not have the following policies in place, EZproxy security configurations will be much less effective.

  1. Require password changes for everyone at least every 90 days
  2. Require hard-to-guess passwords, this could include requiring at least one capital letter, one number, and one symbol
  3. Don’t share credentials, make sure students, faculty and staff understand that sharing credentials could put library access to resources at risk
  4. Don’t post credentials, do not post credentials that provide access to individual resources on the web unless you are certain the file is private
  5. Turn off patron accounts that are no longer affiliated with your library

Security Harden Your Server: Linux, Solaris or Windows

  1. Keep up to date with vendor-supplied patches/updates
  2. Dedicate the server or VM for EZproxy only
  3. Limit who has access to root or administrator accounts
  4. Have very strict password policies on admin accounts
  5. Don’t run vendor-supplied services that aren’t used on your server
  6. Make sure your server is generating logs and those system logs are:
    • Private (file permissions)
    • Retained (at least a year)
    • Backed up
    • Useful – have login success and failures (at least)
    • Reviewed (set a schedule that works for your institution to review regularly)
  7. Have a Firewall set up to limit network access to/from the EZproxy server

EZproxy Security Best Practices

  1. Keep up to date with EZproxy releases—new releases contain the most up-to-date security settings and options. Always updating to the newest version will help you achieve the highest security rating possible.
  2. Use SSL (https) for login processes—this will ensure that your users’ credentials are encrypted when they log in and reduce the risk of them being stolen. For more information about SSL see SSL Configuration.
  3. Make sure your EZproxy server is generating logs and those logs are:
    • Private (file permissions are set so only EZproxy admins have access to these files)
    • Retained (at least six months so you can review them for repeated, illicit use)
    • Backed up (on a separate server so that you can retrieve them if your EZproxy server is targeted in an attack)
    • Reviewed (create a regular schedule for review so you become familiar with the information in the logs and can more easily spot unusual use)
    EZproxy allows users to customize 4 types of log files to retain information necessary to identify compromised user accounts. For more information, see Log Files.
  4. Make sure auditing is on—this will allow you to quickly review logs by date and review user activity using the “View audit events” option on the EZproxy administration page.
  5. Monitor your server status on the admin page—this will allow you to view all of the logged-in users in real-time.

Other Actions You Can Take

  1. Use Google and search for your institution and “EZproxy” with other strings such as “accounts” or “access e-content” etc. Turn off any credentials you may find.
  2. Turn off users your IT department reports are compromised
  3. Make sure to deny/turn off/delete users for people who are no longer affiliated with your institution
  4. If possible, use your campus IDM system such as LDAP, Active Directory, Shibboleth or CAS instead of maintaining your own usernames/passwords
  5. Make sure your server has the correct date/time
  6. Good password policies!

Control Access to EZproxy

Geography

  1. Use the Location directive and the MaxMind GeoLite file to record and monitor where your users are when they access EZproxy. Use the Audit Most directive to record location information in your audit logs.
  2. Monitor and find patterns in your users’ habits. Should anyone be accessing your resources from outside of the US? If not, see step 3.
  3. Use IfCity, IfCountry, and IfRegion statements in the user.txt file to restrict access from countries where your users should not be accessing EZproxy.

Intrusion Attempts

  1. IntruderUserAttempts & IntruderIPAttempts can be set to automatically block users if they fail to provide valid credentials after a certain number of attempts with either a username or from the same IP address.
  2. When a user is blocked based on one of these directives, Audit Most will cause the offending username or IP address to be recorded in the audit log with a message identifying why the user was blocked.
  3. Events can also be viewed (or cleared if a legitimate user has been blocked) from the EZproxy Administration interface by clicking “View and clear intrusion attempts”

Monitor Usage

  1. Use UsageLimit Global to record usage to the audit log?
  2. You can view all usage by clicking “View usage limits and intrusion attempts” from the EZproxy Administration page. No usage will be suspended since no parameters for suspension have been entered; however, you can monitor the number of transfers a user makes over a 2 day period and the number of megabytes transferred.

For more details about these and other security configuration options, see the Options tab.

 

The following files can be used to secure your EZproxy server by assigning specific permissions and including the given configurations.

Before Getting Started

  • “EZproxy Server User” – the username you use to run EZproxy on your server (Windows, Linux, Solaris)
    • Don’t install as root (Linux & Solaris), no root owned files
    • Don’t install as administrator (Windows)
  • Use RunAs config.txt statement on Linux and Solaris if you must bind to reserved IP ports like 80 or 443

General rule: Only the EZproxy Server User should have read/write access to all of the following files and directories; no other access.

  1. Install Directory—where you installed EZproxy, where the EZproxy binary/executable file is located
    • ezproxy-linux.bin (Linux)
    • ezproxy-solaris.bin (Solaris)
    • ezproxy-windows.exe (Windows)
  2. Other Files
    • messages.txt (EZproxy log file)
      • Keep for at least 6 months
      • You can define log rotation naming via MessagesFile statement (see the messages.txt tab under Log Files)
    • user.txt (authentication definitions)
      • Minimize the number of EZproxy admin users
      • If this file is compromised, you most likely will have to change your EZproxy passwords
    • config.txt (configure database stanzas and other
    • ezproxy.log (web access log)
      • Keep for at least 6 months
      • You can define log rotation via LogFile statement
  3. audit Directory – subdirectory where EZproxy audit files are stored
    • Use at least Audit Most configuration
    • Private information is recorded in these files (usernames, login date/time/IP address, etc.)
    • Keep at least 6 months – set by Audit Purge
    • info.usr will allow you to customize audit events in user.txt using Common Conditions and Actions
      • example: IfCountry AS; Audit Denied Non-US Access; Deny –NoAudit deny.htm
      • To use this rule, the Location directive must be enabled so EZproxy can identify the user’s country based on their IP address. This rule would have the following impact:

        Condition/Action

        Result

        IfCountry AS;

        If a user is coming from the country “AS” determined by their IP address

        Audit Denied Non-US Access;

        Record the username in the audit log with the message “Denied Non-US Access” in the “Other” column of the audit table

        Deny –NoAudit

        Deny access to the user, but do not add this to the table (the action above allows you to add a more specific message to identify why the user was denied access)

        deny.htm

        Send the user the deny.htm file saved in your EZproxy directory

      • Sample Audit file data can be seen under the /audit tab on the Audit page
  4. ssl Directory – subdirectory where EZproxy certificate files are kept
    • If the keys in this directory are compromised, your certificates must be replaced
  5. docs Directory and its subdirectories – subdirectory where EZproxy html pages (login, logout, etc) are kept
    Only EZpoxy Server User should have read/write access to these files; others can have read access.
 

EZproxy config.txt directives can be entered in many combinations to secure your EZproxy server. The most common security configurations employ encryption settings, limits, and monitoring/logging directives to record and limit users’ activity. The following tables provide lists of commonly used security, monitoring, and logging directives available to secure your sever.

Login Encryption

One step you can take to increase the security of your users’ credentials and limit the potential for illicit logins with legitimate credentials is to encrypt communication between your users and your EZproxy server. The following directives will allow you to create a secure login page using https and an SSL port. This means, for example, that whenever a user logs in to your EZproxy server, their username and password will be encrypted before transmission instead of being sent in clear text, making it more difficult for those credentials to be stolen.

Before using these directives, you must create an SSL certificate and apply it to your EZproxy server. For more details on how to do this, please see SSL Configuration.

Directive Description
LoginPortSSL This directive enables you to specify the port on which EZproxy should listen for incoming login, menu, and administration requests using https. This directive is necessary if you want to require your users to login using https as defined by the Option ForceHTTPSLogin directive.
Option ForceHTTPSLogin When present, this directive will specify that the user login page always be presented using https, making it a more secure page for logins. Any attempts to access the page using http will be redirected to the https page.
Option ForceHTTPSAdmin When present, this directive will specify that the admin login page always be presented using https, making it a more secure page for logins. Any attempts to access the admin page using http will be redirected to the https page.

Additional Encryption Options

Secure Socket Layer (SSL) is a cryptographic security protocol used to encrypt network information transmissions. SSL has generally been replaced with Transport Layer Security (TLS). EZproxy can support two SSL security options--SSL 2 and SSL 3; however, you can disable these weaker protocols so that only TLS is used. For more details about what version of TLS is currently supported, please see the Release Notes.

Note: In all versions of EZproxy 5.7.44 and greater, SSL 3 is disabled by default.

When entered in your config.txt file, any Option DisableSSL directives that you enter must come before the LoginPortSSL directive.

Directive Description
Option DisableSSL40bit Disables the use of SSL encryption algorithms that use only 40-bits. This directive also disables SSL 2.
Option DisableSSL56bit Disables the use of SSL encryption algorithms that use only 56-bits.
Option DisableSSLv2 Disables the use of SSL 2 handshakes.
SSLCipherSuite This directive allows you to define security settings using SSL Cipher Suite strings.

For more details about each of these security options, please see EZproxy Security FAQ.

Additional Limits Configuration Options

The following directives provide additional security for your EZproxy server, not related to encryption.

Note: Each of the directives below is defined in terms of security. For a more complete definition and discussion of how these directives work for both security and other purposes, please click on the name of the directive.

Directive Description
MaxLifetime This directive closes sessions that remain inactive for longer than a given period of time. This can help minimize the likelihood that a valid session left open on a public computer be taken over by an illegitimate user.
MaxSessions This directive limits the maximum number of EZproxy sessions that can exist at one time. This helps protect against denial of service attacks that could overwhelm your EZproxy server with traffic and shut it down. Setting a limit appropriate to your server will also help maintain your server’s health.
Option BlockCountryChange Using the Location directive as a reference, this directive disconnects any user whose IP address changes from one country to another during a session.  
UMask This directive provides a numeric value that controls the permissions on files created by the Linux and Solaris versions of EZproxy, using the same syntax and the Linux and Solaris command umask.

Monitoring Security

Once you have configured the above options, OCLC suggests you input the following options in your config.txt to monitor use of your EZproxy resources and help you deal with security breaches if they occur. Monitoring security and your security settings are directly related to log configuration. The list below provides a brief overview of log-related directives that can be useful in monitoring your EZproxy server’s security. For a more detailed discussion of EZproxy log options, please see Log Files Overview and the related directives pages linked there.

Note: Each of the directives below is defined in terms of security. For a more complete definition and discussion of how these directives work for both security and other purposes, please click on the name of the directive.

Directive Description
Audit Most This directive enables you to access use details from your admin page and identify potential problem users.
IntruderIPAttempts This directive allows you to identify and automatically block users who repeatedly attempt to access your EZproxy server from a specific IP address with invalid credentials. A record of each failed attempt will be recorded in your Audit log if you have Audit Most configured.
IntruderUserAttempts This directive allows you to identify and automatically block users who repeatedly attempt to access your EZproxy server with an invalid password for a given username. A record of each failed attempt will be recorded in your Audit log if you have Audit Most configured.
Location When used in combination with Audit Most, this directive enables you to determine where your users are located based on their IP address. This can be useful information in identifying problem use and users.
Option StatusUser This directive causes EZproxy to display the username associated with a login session on the Server Status page, accessible from the admin page. This makes it easier to determine if the same username is being used by many users to gain access to your server.
Option LogSession This directive causes EZproxy to record the session identifier as part of entries in the ezproxy.log or spu.log file when %u is entered as a qualifier with LogFormat or LogSPU. This allows you to cross-reference a user with a user’s browsing activity if needed. The link between user and session is stored in the audit file; this link is automatically broken after the number of days specified in AuditPurge, when the audit file is deleted.
Option LogUser This directive causes EZproxy to record the username as part of entries in the ezproxy.log or spu.log file when %u is entered as a qualifier with LogFormat or LogSPU. This allows you to quickly identify the username used to initiate a problem-session and follow up with the appropriate steps necessary to limit that users’ access to resources.

Note: Special configurations in LogFormat and LogSPU are necessary to record BOTH session ID and username. For more information see the Fields to Customize Log Data table on the LogFormat directive page.

UsageLimit This directive provides multiple options for monitoring and then enforcing limits on usage. When entered as UsageLimit Global, this directive allows you to watch users’ activity and see how much data is being transferred to them, which can be helpful in identifying potentially problematic users. Adding additional options to the directive can allow you to enforce specific content transfer limits for specific periods of time.
 

The following example combines all of the directives listed in the overview, placing them in an order that would be appropriate for your config.txt file. The values shown in specific examples are meant as starting points and may not provide the appropriate balance for your server. Whenever changes are made to config.txt, you need to restart EZproxy.

Note: The lines below the directives, beginning with the #, are comments to explain the directive above. These can be deleted or included in your config.txt file as they will not impact your settings. They are meant only to explain the directive.

MaxLifetime 120
#A session idle for 120 minutes is automatically logged out.
Max Sessions 500
#A maximum of 500 sessions may be active at any given time.
UMask 0077
#In Linux & Solaris, access to files is limited to the account used to run EZproxy.
Option DisableSSL40bit
#Disables 40-bit SSL encryption algorithms and SSL 2.
Option DisableSSL56bit
#Disables 56-bit SSL encryption algorithms.
Option DisableSSLv2
#Disables use of SSL 2 handshakes.
LoginPortSSL 443
#Specifies that EZproxy listen for https requests on port 443.
Option ForceHTTPSLogin
#Forces the use of a secure, https login page.
Option FOrceHTTPSAdmin
#Forces the use of a secure, https admin page.
Audit Most
#Records a designated set of Audit events in the Audit log.
AuditPurge 180
#Deletes Audit logs older than 180 days.
Option StatusUser
#Displays the username associated with a session on the Server Status page.
Option LogSession
#Records session identifier in ezproxy.log or spu.log files.
Option LogUser
#Records the username in ezproxy.log or spu.log files.
IntruderIPAttempts -interval=5 -expires=15 20
#Causes EZproxy to block login attempts from an IP address if invalid credentials are entered more than 20 times in a 5 minute interval.
IntruderUserAttempts -interval=5 -expires=15 10
#Causes EZproxy to block login attempts from a username that enters the incorrect password more than 10 times within a 5 minute period.
UsageLimit Global
#Records usage, but does not enforce limits. Usage can be viewed on the View Usage Limits and Clear Suspensions page from the /admin webpage.

LogFile -strftime /log/ezlogs/ezp%Y%m%d.log
#Creates daily ezproxy log files.
LogFormat %h %l %u %t "%r" %s %b
#Records information specified by the % options. More detail on the LogFormat page.
LogSPU -strftime /log/spulogs/spu%Y%m%d.log %h %l %u %t “%r” %s %b
#Creates daily spu logs, and records same basic information as LogFormat directive based on % options.

Location -File=GeoLiteCity.dat.gz
#Adds location data to audit logs by relating user’s IP address to the location identified by the GeoLiteCity.dat file.
Option BlockCountryChange
#Blocks users whose country changes (based on Location directive information) in the middle of a session.
 

This page last revised: May 24, 2016