Administrator account keeps getting deactivated on self-hosted install

Hi all,

I’ve been running a self-hosted Gitlab install for a few months with no issues. I’m on the Cloudflare Pro plan and I’m using the WAF, Spectrum and have UFW restricted to Cloudflare’s IPs. Also 2FA is enforced for all my users.

I just received this email from my instance regarding the default Administrator (root) account:

Hello Administrator,

Your account has been deactivated. You will not be able to:

• Access Git repositories or the API.
• Receive any notifications from GitLab.
• Use slash commands.

To reactivate your account, sign in to GitLab.

Please contact your GitLab administrator if you think this is an error.

I logged in as my normal user (also an admin) and everything seems to be ok. But I can confirm that the root user has been deactivated. I’m the only admin so I have no idea how it happenend.

Is the default root account automatically deactivated after a certain amount of time? Or has there been some kind of security breach that I can’t see?

PS. I’m pretty careful about keeping Gitlab updated. I think I was on 15.4.1 (I updated after the last security patch announcement). I just updated again, so I’m on 15.5 now.

Update: I just reactivated the account and a few minutes later it was “automatically” deactivated again. No idea what’s going on…

Sounds like someone is trying to break into your server using the root account. Since your user has admin privileges, it doesn’t matter. Root account can always be enabled later even from the rails console.

In my case I thought the token was of ‘Administrator’ but turned-out it was of another user, and that one really got deactivated (as it was not in use for a while).
Once I realized the actual user that was trying to access the server, I just activated it…