-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Do you make use of the audit logs? They will log a username along with a session id enabling you to identify evil sessions by user, but importantly, the audit logs are purged away at a specified interval. I think it defaults to 7 days, but you could decide what purge interval would be sufficient for your forensics needs. When vendors are notifying you of malicious activity, it is likely to be within a day or two of the activity so you might consider keeping your audit log for just 3-4 days. After the audit log has been rotated away, you no longer have a link between user ids and the EZproxy session (which I assume you are logging). Of course, they would still hang around in backups. http://oclc.org/support/services/ezproxy/documentation/example/securing.en.html On Wed, 19 Nov 2014, Joshua Welker said: > Balancing security and privacy with EZproxy > > In recent months, we have been contacted several times by one of our > vendors about our databases being accessed by rogue Chinese IP addresses. > With the massive proliferation of online security breaches and password > dumps, attackers are gaining access to student accounts and using them to > access subscription resources through EZproxy. The vendor catches this > happening and alerts us sometimes, but probably more often than not we have > no idea. When we do find out, we force the students to change their > passwords. > > We currently log IP addresses in EZproxy and can see when one of these > rogue IP addresses is accessing a resource. However, we do not log user IDs > in EZproxy, so we can’t tell which student account was compromised. Logging > the user IDs would be a quick fix, but it has major privacy implications > for our patrons, as we would have a record of every document they access. > Have any other institutions encountered this problem? Are any best > practices established for how to deal with these security breaches? > > I apologize for cross-posting. > > Josh Welker > Information Technology Librarian > James C. Kirkpatrick Library > University of Central Missouri > Warrensburg, MO 64093 > JCKL 2260 > 660.543.8022 - -- ++++++++++++++++++++ Michael Berkowski University of Minnesota Libraries [log in to unmask] 612.626.6137 PGP Public Key: http://z.umn.edu/mjbpubkey ++++++++++++++++++++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRtBYYACgkQ01KJk46VC2YDAwCeM1gZH25iP+44RLqn0onooU7A wsIAnisnbl3hZcgIknMsPyseCnHo71dQ =gj8M -----END PGP SIGNATURE-----