James,
You might check to see if that is a VPN address locally. The session key reports that it was attempting to go to
China.

Brian A. Helstien, SISD, MLS,
Director, Special Technologies Initiatives,
Library IT, University Libraries, x06913
University of Southern California, (213) 740-6913
Los Angeles, California, 90089 ***@usc.edu<mailto:***@usc.edu>
Information is independent of media or format

From: McGranahan, Jamen [mailto:***@vanderbilt.edu]
Sent: Friday, October 03, 2014 8:31 AM
To: EZProxy discussion list
Subject: [ezproxy] Audit oddities

Using EZproxy 5.7.42 GA on RedHat 5:

Was wondering if someone can explain this to me because I don't understand what our Audit log is telling us:

Date/Time <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

Event <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

IP <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

Location <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

Username <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

Session <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

Other <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

13:34:06

Login.Success

10.66.215.97

US TN Vanderbilt<http://proxy.library.vanderbilt.edu/ip?details=10.66.215.97>

auto-10.66.215.97

WmdxPAk0MErxTXb

Groups Default AllAlumni

13:34:09

BlockCountryChange

10.66.215.97

US TN Vanderbilt<http://proxy.library.vanderbilt.edu/ip?details=10.66.215.97>

auto

WmdxPAk0MErxTXb

Session country CN


I understand the "Login.Success" - that is an AutoIP range, but I don't understand why 3 seconds later, there was a block on that same IP because it thought it changed countries?? How can that be?

Jamen McGranahan
Systems Services Librarian
Vanderbilt University LIbrary
Central Library
Room 811
419 21st Avenue South
Nashville, TN 37214


You are currently subscribed to ezproxy as: ***@usc.edu<mailto:***@usc.edu>.
To unsubscribe, send request to ***@itec.suny.edu<mailto:***@itec.suny.edu>

---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu

It might be worth checking the logs. I've seen some oddness with BlockCountryChange that I can't explain... things that it kicks out audit lines on that it shouldn't, and things that clearly should have triggered it that didn't.

I'd grep the log file to see if in between the login and the audit even there was traffic from the same session from a different IP. If so, you probably have a compromised user account.

(I've been catching 1-2 per day by looking at BlockCountryChange events.)

--
Christopher Manly
Coordinator, Library Systems
Cornell University Library Information Technologies
***@cornell.edu
607-255-3344

From: <McGranahan>, Jamen <***@vanderbilt.edu<mailto:***@vanderbilt.edu>>
Reply-To: EZProxy discussion list <***@ls.suny.edu<mailto:***@ls.suny.edu>>
Date: Friday, October 3, 2014 at 11:30 AM
To: EZProxy discussion list <***@ls.suny.edu<mailto:***@ls.suny.edu>>
Subject: [ezproxy] Audit oddities

Using EZproxy 5.7.42 GA on RedHat 5:

Was wondering if someone can explain this to me because I don't understand what our Audit log is telling us:

Date/Time <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

Event <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

IP <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

Location <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

Username <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

Session <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

Other <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

13:34:06

Login.Success

10.66.215.97

US TN Vanderbilt<http://proxy.library.vanderbilt.edu/ip?details=10.66.215.97>

auto-10.66.215.97

WmdxPAk0MErxTXb

Groups Default AllAlumni

13:34:09

BlockCountryChange

10.66.215.97

US TN Vanderbilt<http://proxy.library.vanderbilt.edu/ip?details=10.66.215.97>

auto

WmdxPAk0MErxTXb

Session country CN


I understand the "Login.Success" - that is an AutoIP range, but I don't understand why 3 seconds later, there was a block on that same IP because it thought it changed countries?? How can that be?

Jamen McGranahan
Systems Services Librarian
Vanderbilt University LIbrary
Central Library
Room 811
419 21st Avenue South
Nashville, TN 37214


You are currently subscribed to ezproxy as: ***@cornell.edu<mailto:***@cornell.edu>.
To unsubscribe, send request to ***@itec.suny.edu<mailto:***@itec.suny.edu>

---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu

Chris,

I think it may have to do with the fact that the IP 10.66.215.97
is in the Private 10.0.0.0-10.255.255.255 address range and as such
does not get associated with a country - as anyone anywhere can use
private addresses in that range.

We had an instance where one of our departments was coming into our
proxy from a public IP address, but then the subsequent data was
being sent over a private 10.0.0.2 IP and we were hit by block
Country change errors.


Dave
Dave Hoover
Systems Programmer
Rutgers University Libraries
***@rci.rutgers.edu

Once in awhile you can get shown the light
in the strangest of places if you look at it right.

---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu

Chris,
THE problem with the BlockCountryChange is that we are using an unlicensed "lite" version of the GeoIP database. It is missing a large number of IP addresses. Thus if one of my patrons starts a session in/on one of the libraries' wireless, they're in US CA Los Angeles. If they close the laptop, and go back to their apartment across the street, open it and attempt to use a local, private wireless (like AT&T), they're kicked out by the BlockCountryChange.
Because of that I've added the following into my config file preceding the Location -file statement. This has prevented a number of patrons from being kicked out during a "session" and tells me only what local ISP they're using. There are still other ISPs unmapped which will throw a BCC error, but frankly there are too many "small" vendors to get all of them. If one wanted to verify that all the Time Warner in the 23.240 through 23.243 ranges were in Southern California, I could put in something like US/CA/SoCalTW but it just isn't really worth my time to go quite that far.

## Time Warner
Location 23.240.0.0-23.243.255.255 US//TW
Location 50.113.0.0-50.113.255.255 US//TW
Location 104.32.0.0-104.35.255.255 US//TW
Location 107.184.0.0-107.185.255.255 US//TW
Location 142.129.0.0-142.129.255.255 US//TW
Location 142.136.0.0-142.136.255.255 US//TW
Location 142.138.0.0-142.139.255.255 US//TW
Location 172.248.0.0-172.251.255.255 US//TW

## AT&T
Location 23.112.0.0-23.118.255.255 US//ATT
Location 23.122.0.0-23.127.255.255 US//ATT
Location 76.220.0.0-76.220.255.255 US//ATT
Location 99.45.0.0-99.49.255.255 US//ATT
Location 104.0.0.0-104.15.255.255 US//ATT
Location 104.48.0.0-104.63.255.255 US//ATT
Location 107.128.0.0-107.143.255.255 US//ATT
Location 107.192.0.0-107.225.255.255 US//ATT
Location 108.245.0.0-108.255.255.255 US//ATT
Location 162.192.0.0-162.207.255.255 US//ATT
Location 162.224.0.0-162.239.255.255 US//ATT
Location 172.1.0.0-172.15.255.255 US//ATT

##Road Runner
Location 198.2.32.0-198.2.49.255 US//RR

##T-Mobile
Location 172.49.0.0-172.63.255.255 US//TM

Location -File=GeoLiteCity.dat.gz

Brian A. Helstien, SISD, MLS,
Director, Special Technologies Initiatives,
Library IT, University Libraries, x06913
University of Southern California, (213) 740-6913
Los Angeles, California, 90089 ***@usc.edu<mailto:***@usc.edu>
Information is independent of media or format

From: Chris Manly [mailto:***@cornell.edu]
Sent: Friday, October 03, 2014 10:24 AM
To: EZProxy discussion list
Subject: Re: [ezproxy] Audit oddities

It might be worth checking the logs. I've seen some oddness with BlockCountryChange that I can't explain... things that it kicks out audit lines on that it shouldn't, and things that clearly should have triggered it that didn't.

I'd grep the log file to see if in between the login and the audit even there was traffic from the same session from a different IP. If so, you probably have a compromised user account.

(I've been catching 1-2 per day by looking at BlockCountryChange events.)

--
Christopher Manly
Coordinator, Library Systems
Cornell University Library Information Technologies
***@cornell.edu<mailto:***@cornell.edu>
607-255-3344

From: <McGranahan>, Jamen <***@vanderbilt.edu<mailto:***@vanderbilt.edu>>
Reply-To: EZProxy discussion list <***@ls.suny.edu<mailto:***@ls.suny.edu>>
Date: Friday, October 3, 2014 at 11:30 AM
To: EZProxy discussion list <***@ls.suny.edu<mailto:***@ls.suny.edu>>
Subject: [ezproxy] Audit oddities

Using EZproxy 5.7.42 GA on RedHat 5:

Was wondering if someone can explain this to me because I don't understand what our Audit log is telling us:

Date/Time <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

Event <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

IP <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

Location <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

Username <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

Session <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

Other <http://proxy.library.vanderbilt.edu/audit?date=30&anyall=all&field1=event&cond1=c&value1=&field2=username&cond2=c&value2=&field3=ip&cond3=c&value3=&field4=session&cond4=c&value4=WmdxPAk0MErxTXb&search=Search>

13:34:06

Login.Success

10.66.215.97

US TN Vanderbilt<http://proxy.library.vanderbilt.edu/ip?details=10.66.215.97>

auto-10.66.215.97

WmdxPAk0MErxTXb

Groups Default AllAlumni

13:34:09

BlockCountryChange

10.66.215.97

US TN Vanderbilt<http://proxy.library.vanderbilt.edu/ip?details=10.66.215.97>

auto

WmdxPAk0MErxTXb

Session country CN


I understand the "Login.Success" - that is an AutoIP range, but I don't understand why 3 seconds later, there was a block on that same IP because it thought it changed countries?? How can that be?

Jamen McGranahan
Systems Services Librarian
Vanderbilt University LIbrary
Central Library
Room 811
419 21st Avenue South
Nashville, TN 37214


You are currently subscribed to ezproxy as: ***@cornell.edu<mailto:***@cornell.edu>.
To unsubscribe, send request to ***@itec.suny.edu<mailto:***@itec.suny.edu>

You are currently subscribed to ezproxy as: ***@usc.edu<mailto:***@usc.edu>.
To unsubscribe, send request to ***@itec.suny.edu<mailto:***@itec.suny.edu>

---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu