IntruderIPAttempts offers EZproxy administrators a simple and powerful security configuration option to limit unauthorized users from accessing resources through repeated attempts to generate valid credentials. At the same time, it allows room for the possibility that a legitimate user has forgotten their credentials and should not be locked out of the system completely. This directive does not safeguard against stolen or misused valid credentials.
When used as an event in combination with the Audit directive, the IntruderIPAttempts directive can help EZproxy administrators to identify compromises to EZproxy security and put stronger security protocols in place to prevent the security threat.
IntruderIPAttempts is a position-dependent config.txt directive that typically appears toward the top. The directive is used to enable intruder detection based on source the IP address to enhance EZproxy security. You can customize the parameters that will cause a user to be blocked from EZproxy based on invalid credentials and IP address using the directive qualifiers.
The following qualifiers should be added to your IntruderIPAttempts directive to specify when to block a user who repeatedly attempts to use invalid credentials from the same IP address. The italicized word should be replaced with the numerical value you would like to use as a parameter.
||Number of minutes in which the count from an IP address must be reached in order for EZproxy to start blocking all login attempts from that address.|
||Number of minutes which must pass with no further login attempts from a blocked IP address before EZproxy will stop blocking login attempts from that address.|
|count||Number of login attempts from an IP address using invalid information that must occur during the
||Number of login attempts from an IP address using invalid information that must be reached during the
IntruderIPAttempts -interval=5 -expires=15 20
If you are uncertain about initial security configurations to use with the IntruderIPAttempts directive, you can begin with the following:
IntruderIPAttempts -interval=5 -expires=15 20
This will provide you with a baseline security setting that will block any user who tries to log in from a single IP address with invalid information more than 20 times within a 5 minute period of time. After 15 minutes, if no other users attempt to log in from that IP address, EZproxy will no longer block users from that IP address. These are good baseline parameters to use because users legitimately forget passwords, and these timeframes and limits allow them a sufficient amount of time to test several passwords, and if they fail to enter the correct credentials in this time period, they have to wait only 15 minutes to try again.
After this directive has been added to your config.txt file, you should also add Audit Most to your config.txt file so you can monitor your audit logs from your admin page by clicking on the View audit events link. You will see a table similar to the following:
|11:00:17||System||Purged audit file 20140930.txt|
|11:00:56||Login.Success||127.0.0.1||US OH Dublin||ypAvVbCo28nsw7y|
|11:04:00||Login.Intruder.IP||123.456.789.101||US OH Dublin||ghAvILFw30lwk09|
|11:10:45||Login.Success||123.789.101.112||US OH Dublin||ifJlwElwo50jkl19|
|12:20:00||Login.Intruder.IP||123.456.789.101||US OH Dublin||poWlQJ92xjl0ad7|
|11:24:54||Login.Success||18.104.22.168||US OH Dublin||kIlwkEpoq90el8p|
|1:20:21||Login.Success||123.123.456.456||US OH Dublin||riOwLF82DjZHgnd2|
Look for any events labeled Login.Intruder.IP. If you see repeated blocked logins from the same IP address, you may first want to determine if this IP address and user is a valid user who is having difficulty understanding and logging in to your EZproxy resources. If you determine that this is not a legitimate user, you may want to consider adding a -reject= qualifier to your directive statement so that a user who repeatedly tries to login from a specific IP address with invalid credentials will be blocked as if that IP address were configured as a RejectIP. Your directive statement for this configuration should be as follows:
IntruderIPAttempts -interval=5 -expires=15 -reject=100 20
This will maintain the same parameters from blocking as above, but will place a continuous block on the offending IP address that must be cleared manually from the /admin EZproxy administration page. If you find that one particular IP address continues to cause problems, you might want to add a RejectIP for that address to block it permanently.