-----BEGIN PGP SIGNED MESSAGE-----
Do you make use of the audit logs? They will log a username along with a
session id enabling you to identify evil sessions by user, but
importantly, the audit logs are purged away at a specified interval. I
think it defaults to 7 days, but you could decide what purge interval
would be sufficient for your forensics needs. When vendors are notifying
you of malicious activity, it is likely to be within a day or two of the
activity so you might consider keeping your audit log for just 3-4 days.
After the audit log has been rotated away, you no longer have a link
between user ids and the EZproxy session (which I assume you are logging).
Of course, they would still hang around in backups.
On Wed, 19 Nov 2014, Joshua Welker said:
> Balancing security and privacy with EZproxy
> In recent months, we have been contacted several times by one of our
> vendors about our databases being accessed by rogue Chinese IP addresses.
> With the massive proliferation of online security breaches and password
> dumps, attackers are gaining access to student accounts and using them to
> access subscription resources through EZproxy. The vendor catches this
> happening and alerts us sometimes, but probably more often than not we have
> no idea. When we do find out, we force the students to change their
> We currently log IP addresses in EZproxy and can see when one of these
> rogue IP addresses is accessing a resource. However, we do not log user IDs
> in EZproxy, so we can’t tell which student account was compromised. Logging
> the user IDs would be a quick fix, but it has major privacy implications
> for our patrons, as we would have a record of every document they access.
> Have any other institutions encountered this problem? Are any best
> practices established for how to deal with these security breaches?
> I apologize for cross-posting.
> Josh Welker
> Information Technology Librarian
> James C. Kirkpatrick Library
> University of Central Missouri
> Warrensburg, MO 64093
> JCKL 2260
University of Minnesota Libraries
[log in to unmask]
PGP Public Key: http://z.umn.edu/mjbpubkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----