Hello!
We are running self-managed omnibus GitLab instance v14.1.7 and we are getting “attacked” by bots.
I have found that even not logged in users can perform searchs and figure out usernames and try to brute force.
https://gitlab.example.com/search?group_id=&project_id=&repository_ref=&scope=users&search=aaa&snippets=false
The link above shows the way you can make queries and since 3 letters are required to get a result of the matching users people need ~17k requests to get all of the users dumped. Here’s a screenshot:
We’re currently auto banning ip-s that make multiple login failures with fail2ban, but is there a way to remove access to non logged users whatsoever?
Thanks in advance.
1 Like
I think you need to look in your settings. I amended the url you provided above placing my domain name, and whilst the search option is there, zero results are provided, even when I know exactly what I am searching for. So you must have something enabled in your settings for your Gitlab install that is causing this.
In particular this:
Set restricted visibility levels public enabled so that only logged in users can see stuff. This is under General → Visibility and Access Controls.
1 Like
Thanks this was exactly the case!
1 Like
