Securing Your EZproxy Server

Minimum version required

The features described on this page require EZproxy 3.6c GA (2006-03-10) or later.

Example

The following is an example of how to apply all of the EZproxy security options to enhance the security of your EZproxy server. The values shown are meant as starting points and may not provide the appropriate balance for your server.

These directives shown should be added to your config.txt/ezproxy.cfg file. Whenever changes are made to config.txt/ezproxy.cfg, you also need to restart EZproxy.

Audit Most
AuditPurge 7
Option StatusUser
Option LogSession
IntruderIPAttempts -interval=5 -expires=15 20
IntruderUserAttempts -interval=5 -expires=15 10
UsageLimit -enforce -interval=15 -expires=120 -MB=100 Global

The Audit directive enables the auditing of key security events. You should review the audit entries on a regular basis using the /admin EZproxy Administration page to determine if any of the other settings may need to be modified based on observed activity.

The AuditPurge directive indicates that only the current audit file plus the audit files of the previous seven days should be retained, with all earlier audit files being automatically deleted.

Option StatusUser directs EZproxy to display the username associated with a login session on the /status Server Status page, making it easier to determine if the same username is being used by many users to gain access to your server.

Option LogSession directs EZproxy to record the session identifier as part of entries in the ezproxy.log file. This allows you to cross-reference a user to that user's browsing activity if needed. The link between user and session is stored in the audit file; this link is automatically broken after the number of days specified in AuditPurge when the audit file is deleted.

IntruderIPAttempts monitors for repeated attempts to log into your EZproxy server from the same IP address, regardless of requested username, then blocks attempts to log in from that IP address.

IntruderUserAttempts monitors for repeated attempts to log into the same username, regardless of source IP address, then blocks attempts to log into that username.

UsageLimit imposes a restriction that each username is only allowed to transfer up to the specified amount of data over the specified interval, and if this limit is exceeded, the username is locked out until the expiration specified. When defining a UsageLimit, it is best to omit -enforce which tells EZproxy only to monitor those who would have exceeded the limit. You can then review the audit file to determine if the limit appears to affect too many people, and if so modify the limit. Once everything appears correct you can add -enforce to enforce the limit.