Hi, I defined a log-file in self-service-password config, but there nothing is logged. I will check apache2 log files.
However, because mail-token works, I completely disabled ?action=change. For that purpose introduced a new line $use_change = false; in the config-file and adjusted one line in index.php, where the allowed actions are stored in an array-variable. By default actionarray is now not change but empty. This does the trick. However, one could still do a brute-force-attack to guess usernames and emails. But that would be recognized by the user. Should I post a diff-patch for the files? I'm not familiar with php, just copied and pasted ;) regards, Henning Am 03.12.2012 10:03, schrieb Clément OUDOT: > 2012/12/2 Ramesh Kumar <[email protected]>: >> I would say you made a good point her Henne. I thought about that, but As i >> was using ssp in private network so did not bothered much. >> >> Thanks >> Ramesh >> >> On Dec 2, 2012, at 10:27 PM, Henne Holly wrote: >> >>> Hi, >>> >>> I wonder if self-service-password logs if users try to change their >>> passwords? It logs if a token is send by email, but I cannot see direct >>> password changes. This would be very important, because people could do >>> brute force attacks without being taken down. > > Hi, > > there is a log if the change fails (wrong old password or bad quality > new password). There is no log when password change succeed but this > is not required to block brute force attacks. > > Logs are in Apache error log. > > > Clément. > _______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
