My Gitea instance is being brute-forced just as I write this text:
gitea | Invalid user yinsen from 94.23.30.184 port 55154 gitea | Connection closed by invalid user yinsen 94.23.30.184 port 55154 [preauth] gitea | Invalid user zhaoyy from 94.23.30.184 port 42294 gitea | Connection closed by invalid user zhaoyy 94.23.30.184 port 42294 [preauth] gitea | Invalid user yangtingy from 94.23.30.184 port 57666 gitea | Connection closed by invalid user yangtingy 94.23.30.184 port 57666 [preauth] gitea | Invalid user haoxiaoshuai from 94.23.30.184 port 44806 gitea | Connection closed by invalid user haoxiaoshuai 94.23.30.184 port 44806 [preauth] gitea | Invalid user adminuser from 94.23.30.184 port 60178 gitea | Connection closed by invalid user adminuser 94.23.30.184 port 60178 [preauth] gitea | Invalid user adminuser from 94.23.30.184 port 47320 gitea | Connection closed by invalid user adminuser 94.23.30.184 port 47320 [preauth] gitea | Invalid user wangjue from 94.23.30.184 port 34458 gitea | Connection closed by invalid user wangjue 94.23.30.184 port 34458 [preauth] gitea | Invalid user jmms from 94.23.30.184 port 49830 gitea | Connection closed by invalid user jmms 94.23.30.184 port 49830 [preauth] gitea | Invalid user user42 from 94.23.30.184 port 36970 gitea | Connection closed by invalid user user42 94.23.30.184 port 36970 [preauth] gitea | Invalid user huwanfeng from 94.23.30.184 port 52340 gitea | Connection closed by invalid user huwanfeng 94.23.30.184 port 52340 [preauth] gitea | Invalid user lidongbo from 94.23.30.184 port 39480 gitea | Connection closed by invalid user lidongbo 94.23.30.184 port 39480 [preauth] gitea | Invalid user market from 94.23.30.184 port 54852 gitea | Connection closed by invalid user market 94.23.30.184 port 54852 [preauth] gitea | 2023/04/10 10:05:18 [6433c33e] router: completed GET /robots.txt for 172.24.0.37:59646, 200 OK in 0.3ms @ web/web.go:162(web.Routes) gitea | Invalid user ldbc from 94.23.30.184 port 41992 gitea | Connection closed by invalid user ldbc 94.23.30.184 port 41992 [preauth] gitea | Invalid user lsp from 94.23.30.184 port 57364 gitea | Connection closed by invalid user lsp 94.23.30.184 port 57364 [preauth] gitea | Invalid user lihan from 94.23.30.184 port 44504 gitea | Connection closed by invalid user lihan 94.23.30.184 port 44504 [preauth] gitea | Invalid user xingxiaoyang from 94.23.30.184 port 59876 gitea | Connection closed by invalid user xingxiaoyang 94.23.30.184 port 59876 [preauth] gitea | Invalid user kishida from 94.23.30.184 port 47016 gitea | Connection closed by invalid user kishida 94.23.30.184 port 47016 [preauth] gitea | Invalid user lrj from 94.23.30.184 port 34156 gitea | Connection closed by invalid user lrj 94.23.30.184 port 34156 [preauth] gitea | Invalid user mgr from 94.23.30.184 port 49528 gitea | Connection closed by invalid user mgr 94.23.30.184 port 49528 [preauth] gitea | Invalid user xiaojiwei from 94.23.30.184 port 36668 gitea | Connection closed by invalid user xiaojiwei 94.23.30.184 port 36668 [preauth] gitea | Invalid user tim from 94.23.30.184 port 52040 gitea | Connection closed by invalid user tim 94.23.30.184 port 52040 [preauth] gitea | Invalid user wxccvt from 94.23.30.184 port 39180 gitea | Connection closed by invalid user wxccvt 94.23.30.184 port 39180 [preauth] gitea | Invalid user wangyanzhao from 94.23.30.184 port 54552 gitea | Connection closed by invalid user wangyanzhao 94.23.30.184 port 54552 [preauth] gitea | Invalid user huangxuanxuan from 94.23.30.184 port 41692 gitea | Connection closed by invalid user huangxuanxuan 94.23.30.184 port 41692 [preauth] gitea | Invalid user centos from 94.23.30.184 port 57064 gitea | Connection closed by invalid user centos 94.23.30.184 port 57064 [preauth] gitea | Invalid user gvtiib from 94.23.30.184 port 44204 gitea | Connection closed by invalid user gvtiib 94.23.30.184 port 44204 [preauth] gitea | Invalid user keras from 94.23.30.184 port 59576 gitea | Connection closed by invalid user keras 94.23.30.184 port 59576 [preauth] gitea | Invalid user cyh from 94.23.30.184 port 46716 gitea | Connection closed by invalid user cyh 94.23.30.184 port 46716 [preauth] gitea | Invalid user jp from 94.23.30.184 port 33856 gitea | Connection closed by invalid user jp 94.23.30.184 port 33856 [preauth] gitea | Invalid user tengwen from 94.23.30.184 port 49228 gitea | Connection closed by invalid user tengwen 94.23.30.184 port 49228 [preauth] gitea | User nobody not allowed because account is locked gitea | Connection closed by invalid user nobody 94.23.30.184 port 36368 [preauth] gitea | Invalid user user06 from 94.23.30.184 port 51740 gitea | Connection closed by invalid user user06 94.23.30.184 port 51740 [preauth] Those messages pop up around every 6~7 seconds. I came across this by accident after just rebooting my Gitea docker container.
I already set sudo ufw deny from 94.23.30.184 to any, however the requests keep going through.
- Why do the requests keep coming even after setting ufw to deny any access by this very ip?
- How do I backtrack the IP to find out who wants to brute-forcely attack my Gitea instance?
- What can I do to secure my server from this kind of attacks?
allowrule that allows the connection before thedenyrule can deny it - chances are, there isufwincoming default is allow