EZProxy Regular Maintenance
log into EZProxy Administration
http://ezproxy.lib.ou.edu/admin
_____________________________________________________
Terminate old sessions:
select View server status under Current Activity
terminate any sessions that weren't started today
click on old Session and then select Terminate session
______________________________________________________
Host Maintenance:
from the View server status screen, select Host Maintenance link at top
near the bottom of the page select "Remove ## hosts that have not been used in over 30 days (requires EZproxy restart)"
select process
select "restart EZproxy"
________________________________________________________
DB Definition Conflicts:
from the Administration screen, select "Check for database definition conflicts" under Miscellaneous.
go line by line and research the issue
this usually means this resource is represented in Loradump.cfg and config.txt (should be only in config.txt)
________________________________________________________
to access EZProxy on my MacBook
ssh lib-3.ezproxy.prod.nor.internal
special pass (weight)
ls /srv/ezproxy
to open the file and see it.
sudo vim /srv/ezproxy/config.txt
i to insert
:wq to write and close
:q! to just close without writing
esc to get out of insert mode
to restart ezproxy:
sudo systemctl status ezproxy (regular password)
__________________________________________
To update the files that the public sees:
sudo vi ./docs/
sudo vi ./docs/suspend.htm
__________________________
our proxy prefix was: http://ezproxy.lib.ou.edu/login?url=
now it's: https://login.ezproxy.lib.ou.edu/login?url=
___________________________________
cd srv/ezproxy
run this to generate a log
sudo ./simplerotate.sh
____________________________________
Log spelunking:
vim newscript.sh
to edit it:
sudo cat /srv/ezproxy/ezproxy.log {color}
/mnt/autofs/lib-7logs/ezproxy`date +"%Y%m%d"`.log {color}
/mnt/autofs/lib-7logs/ezproxy`date +"%Y%m%d" -d "1 day ago"`.log {color}
/mnt/autofs/lib-7logs/ezproxy`date +"%Y%m%d" -d "2 day ago"`.log > ./loc_ezproxy.log
sudo chown croberts ./loc_ezproxy.log
cut -d ' ' -f 1 "loc_ezproxy.log" | sort | uniq -c > ipaddys.txt
cat ipaddys.txt | sed -e 's/^[[:space:]]*//' > ipadr2.txt
sort -nr ipadr2.txt > ipaddys.txt
rm ipadr2.txt
./newscript.sh to run it
head ipaddys.txtto get ip addys
/opt/ltp/ezproxy_log_search.sh [ipaddy here]
to get the heavy hitters for the past week:
run this on lib-3:
./logcheck.sh
_________________________________________________________
tracable logins for past three days:
if you log in to lib-3 and run this command:
sudo cat /srv/ezproxy/ezproxy.log \
/mnt/autofs/lib-7-logs/ezproxy-`date +"%Y%m%d"`.log \ /mnt/autofs/lib-7-logs/ezproxy-`date +"%Y%m%d" d "1 day ago"`.log \ /mnt/autofs/lib-7-logs/ezproxy`date +"%Y%m%d" -d "2 day ago"`.log | grep 'https?://(.+)?ezproxy.lib.ou.edu:(80|443)?/login?user='
You'll get the last 3 days of tracable logins in the ezproxy logs.
__________________________________________________________________
There is now a script you can run on lib-3 to do lateral correlations on IP addresses, sessions, and user accounts.
All you have to do is feed it an IP address as an argument, and it will return related users and ip addresses. Eg.
/opt/ltp/ezproxy_log_search.sh 115.28.104.63
returns
115.28.104.63 - - [15/Dec/2015:02:12:14 -0600] "GET https://ezproxy.lib .ou.edu:443/login?user=wand2999&ticket=e56bf200b7d9b5f7b39212d07d73fc8d
%24u1450167129&url= HTTP/1.1" 302 0
____________________________________________________________________
longer version:
the sneakier thieves were starting sessions in one ip space, then shifting the sessions to bots in a completely different ip space. The script does the following:
- get all sessions associated with an ip from the last 3 days
sudo cat /srv/ezproxy/ezproxy.log \ /mnt/autofs/lib-7-logs/ezproxy-`date +"%Y%m%d"`.log \ /mnt/autofs/lib-7-logs/ezproxy-`date +"%Y%m%d" d "1 day ago"`.log \ /mnt/autofs/lib-7-logs/ezproxy`date +"%Y%m%d" -d "2 day ago"`.log | \ grep '^219.152.30.144' | cut -d ' ' -f 3 | sort | uniq > uniquesessons.txt
______________________________________________________________________ - get all ips associated with sessionids
sudo cat /srv/ezproxy/ezproxy.log \ /mnt/autofs/lib-7-logs/ezproxy-`date +"%Y%m%d"`.log \ /mnt/autofs/lib-7-logs/ezproxy-`date +"%Y%m%d" d "1 day ago"`.log \ /mnt/autofs/lib-7-logs/ezproxy`date +"%Y%m%d" -d "2 day ago"`.log | \ grep -F -f uniquesessons.txt | cut -d ' ' -f 1 | sort | uniq
________________________________________________________________________ search for logins associated with dirty ips
sudo cat /srv/ezproxy/ezproxy.log \ /mnt/autofs/lib-7-logs/ezproxy-`date +"%Y%m%d"`.log \ /mnt/autofs/lib-7-logs/ezproxy-`date +"%Y%m%d" d "1 day ago"`.log \ /mnt/autofs/lib-7-logs/ezproxy`date +"%Y%m%d" -d "2 day ago"`.log | grep 'https?://(.+)?ezproxy.lib.ou.edu:(80|443)?/login?user='\
grep -F -f uniqeuips.txt
_________________________________________________________________
From Jason:
I did a quick writeup of handling account compromises in ezproxy. This may change slightly after I migrate ezproxy off of win2k3, but I'll update the notes. John, I stuck a copy of this in the ltp dropbox folder.
If there is a source ip (eg. scifinder), add RejectIP entries to ezproxy.cfg and restart ezproxy use that IP as a search string in the logs. Otherwise, you will need to get the source IP by correlating timestamps in the log file [\\100.100.100.7\f$\logs\ezproxy1|\\100.100.100.7\f$\logs\ezproxy1] You may need to check log dated the day after listed compromise.
Look for session starts with that IP. They will have a 4+4 eg GET http://ezproxy.lib.ou.edu:80/login?user=OU4+4GOES_HERE
Here is an example regular expression you could use to find such an entry for 129.199.157.17:
^(128\.199\.157\.17)(.+)("GET
http:\/\/ezproxy\.lib\.ou\.edu:80\/login?user=)([^&]+)&
You can plug that into a regex search in notepad++ and get hits within that file. If you're on a system with egrep, you can recursively search across all log files for matching entries
- get all sessions associated with an ip from the last 3 days