The IntruderUserAttempts directive offers EZproxy administrators a way to stop and discourage security breaches through continued, computerized trial and error of passwords with a valid username. This directive does not safeguard against stolen or misused valid credentials.
When used as an event in combination with the Audit directive, the IntruderUserAttempts directive can help EZproxy administrators to identify compromised usernames and permanently remove those usernames' access to EZproxy.
IntruderUserAttempts is a position-independent config.txt directive that typically appears toward the top. The directive is used to enable intruder detection based on detecting and blocking repeated failed attempts to log in to EZproxy using the same username regardless of source IP address. You can customize the parameters that will cause a user to be blocked based on failed login attempts using the directive qualifiers in the table below.
If you are contacted by a valid user who has been blocked from logging on and wishes to continue trying, you can clear IntruderUserAttempts through the /admin EZproxy administration page.
The following qualifiers should be added to your IntruderUserAttempts directive to specify when to block a user who repeatedly enters the wrong password for a single username.
||Number of minutes in which the count for invalid login attempts for a single username must be reached in order for EZproxy to start blocking all login attempts for the username.|
||Number of minutes which must pass with no further login attempts for a blocked username before EZproxy will stop blocking login attempts for that username.|
||Number of login attempts for a username using the wrong password that must occur during the
IntruderUserAttempts -interval-5 -expires=15 10
If you are uncertain about initial security configurations to use with the IntruderUserAttempts directive, you can begin with the following:
IntruderUserAttempts -interval=5 -expires=15 10
This will provide you with a baseline security setting that will block any user who enters the wrong password for a single username incorrectly 10 times within a 5 minute period of time. After 15 minutes, if no more attempts to log in are made with the blocked username, EZproxy will no longer block it. These are good baseline parameters to use because users legitimately forget passwords, and these time-frames and limits allow them a sufficient amount of time to test several passwords, and if they fail to enter the correct credentials in this time period, they have to wait only 15 minutes before trying again.
After this directive has been added to your config.txt file, you can monitor IntruderUserAttempts in your audit logs from your admin page by clicking on the View audit events link. You will see a table similar to the following:
|11:00:17||System||Purged udit file 20190930.txt|
|11:00:56||Login.Success||127.0.0.1||US OH Dublin||admin||ypAvVbCo28nsw7y|
|11:04:00||Login.Intruder.User||123.456.789.101||US OH Dublin||baduser||ghAvILFw30lwk09|
|11:10:45||Login.Success||123.789.101.112||US OH Dublin||gooduser||ifJlwElwo50jkl19|
|12:20:00||Login.Intruder.User||123.456.789.101||US OH Dublin||baduser||poWlQJ92xjl0ad7|
|11:24:54||Login.Success||126.96.36.199||US OH Dublin||gooduser2||kIlwkEpoq90el8p|
|1:20:21||Login.Success||123.123.456.456||US OH Dublin||gooduser3||riOwLF82DjZHgnd2|
Look for any events labeled Login.Intruder.User. If you see repeated blocked logins from the same username, you may first want to determine if this IP address and user is a valid user who is having difficulty understanding and logging in to your EZproxy resources. If you determine that this is not a legitimate user, you may want to consider removing this username from your user.txt file or contract your IT department to consult with them on this username.