The following lists provide general best practice suggestions for securing your EZproxy server.
EZproxy security best practices
- Keep up to date with EZproxy releases—new releases contain the most up-to-date security settings and options. Always updating to the newest version will help you achieve the highest security rating possible.
- Use SSL (https) for login processes—this will ensure that your users’ credentials are encrypted when they log in and reduce the risk of them being stolen. For more information about SSL see SSL Configuration.
- Make sure your EZproxy server is generating logs and those logs are:
- Private (file permissions are set so only EZproxy admins have access to these files)
- Retained (at least six months so you can review them for repeated, illicit use)
- Backed up (on a separate server so that you can retrieve them if your EZproxy server is targeted in an attack)
- Reviewed (create a regular schedule for review so you become familiar with the information in the logs and can more easily spot unusual use)
- EZproxy allows users to customize 4 types of log files to retain information necessary to identify compromised user accounts. For more information, see Log Files.
- Make sure auditing is on—this will allow you to quickly review logs by date and review user activity using the “View audit events” option on the EZproxy administration page.
- Monitor your server status on the admin page—this will allow you to view all of the logged-in users in real-time.
Other actions you can take
- Use Google and search for your institution and “EZproxy” with other strings such as “accounts” or “access e-content” etc. Turn off any credentials you may find
- Turn off users your IT department reports are compromised
- Make sure to deny/turn off/delete users for people who are no longer affiliated with your institution
- If possible, use your campus IDM system such as LDAP, Active Directory, Shibboleth or CAS instead of maintaining your own usernames/passwords
- Make sure your server has the correct date/time
- Good password policies!
Control access to EZproxy
- Use the Location directive and the MaxMind GeoLite file to record and monitor where your users are when they access EZproxy. Use the AuditMost directive to record location information in your audit logs.
- Monitor and find patterns in your users’ habits. Should anyone be accessing your resources from outside of the US? If not, see step 3.
- Use IfCity, IfCountry, and IfRegion statements in the user.txt file to restrict access from countries where your users should not be accessing EZproxy.
- IntruderUserAttempts & IntruderIPAttempts can be set to automatically block users if they fail to provide valid credentials after a certain number of attempts with either a username or from the same IP address.
- When a user is blocked based on one of these directives, Audit Most will cause the offending username or IP address to be recorded in the audit log with a message identifying why the user was blocked.
- Events can also be viewed (or cleared if a legitimate user has been blocked) from the EZproxy Administration interface by clicking “View and clear intrusion attempts.”
- Use UsageLimit Global to record usage to the audit log
- You can view all usage by clicking “View usage limits and intrusion attempts” from the EZproxy Administration page. No usage will be suspended since no parameters for suspension have been entered; however, you can monitor the number of transfers a user makes over a 2 day period and the number of megabytes transferred.
For more details about these and other security configuration options, see Options securing your EZproxy server.