Hello, I am using GitLab Enterprise Edition, I have entered the administrator configuration and I have deactivated the registration form, but when entering by URL I can continue to see the form and I would like to deactivate it completely and that the registration form is not displayed, someone knows how to do it?
To completely disable the ability for new users to sign up for an account using the registration form, you’ll want to Disable New User Sign Ups.
To disable sign ups:
- On the top bar, select Menu > Admin.
- In the left sidebar, select Settings > General, and expand Sign-up restrictions.
- Clear the Sign-up enabled checkbox, then select Save changes.
Can you try this out and verify whether it resolves the problem?
I have already done that and I can still view the form if I enter through the url.
On mine the form is still visible also if I actually put gitlab.mydomain.com/users/sign_up, but it doesn’t matter since sign-up has been disabled. So nothing happens when the form is completed. No users can be registered, it just redirects to login on submission.
There is no option in the admin settings to completely disable/block the sign_up url, nor in the gitlab.rb file.
The registration form presents a vulnerability, in the username field you can discover the users who are registered on the GitLab platform, when you have the entire list of users who are registered on the platform, a Brute Force attack could be carried out on the login, with that, an attacker could get the passwords of each user.
In the following link, you could have more details of the vulnerability: GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration - Ruby webapps Exploit
Then your best bet is open an issue here: Issues · GitLab.org / GitLab · GitLab just posting here won’t be enough for it to get resolved if that is the case since devs need an issue to work on and implement ability to disable the page completely.
There are also ways to mitigate such problems as well. Fail2ban can assist in blocking failed attempts to login. See here: Fail2ban filter for gitlab. Tested with gitlab version 8.13 and fail2ban version 0.9.4 · GitHub and here: Fail2ban not blocking gitlab attacks - #7 by iwalker
You can also use 2FA, which I also use, which then even reduces the likelihood of a brute force. No 2FA, no possibility to login.
And even if was possible to disable the registration form, you still have the login page accessible anyway and easier to brute force this page instead of the registration one. Hence, fail2ban and 2FA are far better options.
And even more secure, restrict access to your server entirely for your internal IP addresses only, or restrict to certain remote IP’s when people are at home etc - not ideal especially if they don’t have a static IP, but another possibility for the extreme.
2 Likes