August 10, 2016

Investigating Suspicious Usage with EZproxy Logs

Jenny RosenfeldImplementation Manager, Hosted EZproxy

• Dealing with vendor-flagged suspicious activity• Identifying accounts• How to respond• What if account is not compromised?• Hosted EZproxy Usage Reports and Security

Agenda

VENDOR-FLAGGED USAGE

• They may have already shut off your library’s access to their resource

• You may be given very little time to identify the user• Vendor-supplied log snippets• Date and time stamps are very important

A vendor contacts you…..

• Will look very different from EZproxy logs

Vendor logs

• Date/time stamp• Identify a searchable characteristic

What to look for in vendor log

• Use the ezplog file from the date you identified in the vendor log.

• Grep or search that log for your identifying text• Make sure the time stamp is an approximate match• Make note of the session ID66.162.36.106 - f31cUjTZNKauIQu [02/Nov/2015:21:23:18 -0500] "GET http://onlinelibrary.wiley.com:80/doi/10.1002/pbfchkn.20815/pdf HTTP/1.1" 404 13113

• Must be using Option LogSession (or Option LogUser) along with %u as part of your LogFormat

Search the EZPlogs

• Log in to your EZproxy admin page at: https://ezproxy.yourlib.edu:2048/admin (substituting your server URL and port number as needed).

• Click on the hyperlink View Audit Events under the Current Activity heading.

Identify the user(s) in question

Admin interface

• Set the number of previous days to search back far enough to cover the date in question.

• Place the Session ID into the search box.• Select “Session” from the drop down list and search

Identify the users in question (cont.)

• Find the session in question. It should match up to the date from the vendor’s logs.

• Identify the user associated with the session.

Identify the user(s) in question (cont.)

• Repeat this process as necessary to identify all users associated with the flagged usage.

• It is most likely NOT necessary to search all flagged items. Search a sampling of sessions over different time periods and dates.

• Record all usernames you find.

Identifying more users

• Go back to your main admin page and select “View server status.”

• Search all text on this page for each username to see if there are any active sessions.

• If you find active sessions, click the sessionID of any session associated with that user and then click “Terminate the session.”

What to do next

What to do next – Terminate sessions

• If appropriate, contact your IT department to let them know you have a potentially compromised user account.

• Give them the username and ask that the password be reset and that the user be blocked from accessing other institutional resources

• If your IT department cannot act fast enough, you can block usernames in user.txt.

• Authentication method-specific instructions

What to do next – follow up

• Account may belong to a faculty member or researcher who may legitimately need high volume access to the resource

• Refer to license agreements for access terms• If a vendor has flagged this usage, it most likely violates

these terms.• You may still need to temporarily block user to satisfy

vendor• Reach out to user to determine methods of access

What if the account is not compromised?

• You can place UsageLimit Global before any database stanzas in config.txt

• This simply allows monitoring of usage by user over the last 24 hours.

• From the “View Usage Limits and Clear Suspensions” link on the admin page, you can sort by MB transferred to identify high use users

Usage Limits

HOSTED EZPROXY REPORTS

• All hosted sites use the same or similar log format that allows us to harvest information from audit logs and produce a report each month

• This report includes information about logins by user, data transferred by user, login failures, Geolocation of users, users from multiple geographies, and database sessions and usage

Hosted EZProxy Monthly Reports

• If you are a Hosted EZproxy library and do not know how to access these reports, email implementation@oclc.orgto be set up and/or sent instructions

• Made available monthly, usually by the second week of the month for the previous month’s usage

How to monitor HEZP monthly reports

Location information

• Look for users coming from multiple geographies • Look for users coming from geographical regions you

might not expect

• This is not always fraudulent

Location information

• Report includes number of successful logins and login failures by user

• Also includes list of users with more than 10 login failures in the month

• Users with many login failures could indicate a compromised account (or an account that someone is trying to compromise)

• Login failures across the board can also indicate your patrons are unsure which credentials to use to log in.

Login Failures

• If a particular database indicates a dramatic spike in usage from one month to another, this could indicate a problem

• It’s a good idea to be familiar with relative patterns of resource usage so that it’s easier to compare over time

Database Usage

Questions?