Account Deactivation
The convention master system has a very advanced system to prevent people from being able to hack into the staff area of the convention master software.
- Bruteforce Protection - The first part of the system which prevents hacking attempts on the reg system is the bruteforce protection system. Each unsuccessful attempt to decrypt something, (Like a AUP form) or each unsuccessful login attempt puts a record in the bruteforce protection system. This record is linked to the IP address of the attacker. If the IP address has too many failures, the system will mark each following attempt unsucessful.
- How are bruteforce protections cleared? - When someone successfully decrypts a AUP or successfully logs into the console, from another IP address, the bruteforce protection system will clear any lock-outs that are older than three hours old, (measured from the last attempt the IP address has made)
- Bans can remain much longer than three hours - Because the system only clears old lockouts when somone successfully logs in or decrypts something, then if there is only a limited amount of activity in your CM software, a bruteforce lockout can remain for significantly longer (Until a authorized user logs in) this adds added protection because a attacker cannot predict when the bruteforce lockout will be cleared.
- A user was 'deactivated' or 'locked out' and my account got deactivated when I tried to reset thiers - Because the brute force protection system is protecting the CM server by IP address, this can happen. Most commonly if both users are accessing from the same (external) IP address.
- Does this happen at the event? - No, the system will not implement bruteforce protection if the CM server is on the same IP subnet as the incoming request. So this protection is essentially deactivated for at-event.
- Can I manually clear bruteforce lockouts? - Yes! And here is how. (Do this before re-enabling any locked out accounts)
- Log into your convention master installation as a user with the correct permissions
- Click on the Admin - Users menu.
- Click on the Clear bruteforce menu item.
- Click the button labeled Clear all IP's from the bruteforce protection system!