I am repeatedly getting emails like this on a self-hosted GitLab CE instance:
Hello, !
Your GitLab account has been locked due to an excessive number of unsuccessful sign in attempts. You can wait for your account to automatically unlock in 10 minutes or you can click the link below to unlock now.
Unlock account
If you did not initiate these sign-in attempts, please reach out to your administrator or enable two-factor authentication (2FA) on your account.
To better protect the instance, I want to find the IPs causing this, and block them using fail2ban. However, I cannot even find corresponding requests in my logs that would explain such unsuccessful sign-in attempts.
I have checked:
/var/log/gitlab/nginx/gitlab_access.log-> no 403 or 422 errors, and there are couple of 200 requests for/users/sign_in, but nothing spurious, not even close in time to the email I got/var/log/gitlab/nginx/gitlab_error.log-> empty/var/log/gitlab/gitlab-rails/auth.log-> nothing relevant
Note: I have verified the email is valid and not a phishing attempt. The affected user account shows as having failed_attempts in the GitLab Rails console.
Where does GitLab log such requests, or could I somehow trace the origin of that email from GitLab itself, so that I can (programmatically) figure out which IPs to block?
