With our self hosted Gitlab deployment we have noticed some suspicious login attempts which used useraccount which didn’t have easily guessable usernames or email addresses. While 2FA is required on our Gitlab an unauthenticated login would therefore be very unlikely, it did make me wonder if this was somehow a more targeted attack. So searching through the access log I noticed that a while before this IP had used the search function to enumerate all existing users in the Gitlab, ala using:
/search?group_id=&project_id=&repository_ref=&scope=users&search=aaa%0A&snippets=false
Then this IP proceeded to search through the remainder of the search space, ala “search=aab”, “search=aac”, etcetera until “zzz”.
This would make all usernames and companying account names visible to the culprit. I have been searching for a bit to see if there is a configuration option to prevent this enumeration of useraccounts, but was not able to find this.
So some questions, did others also notice this type of attack and has someone been able to successfully to prevent useraccount enumeration, like making search only available for authenticated users?
(edit: fixing typo and some formatting)