I created a test instance of Gitea on a server exposed to the internet. However, it is exposed only by IP and is not disclosed.
Today I just noticed a strange user account, which I didn’t register. He simply registered(july 1 2023) on my Gitea server that is not indexed by any search engine. How can be this possible?
user: sgitramp
email: sgitramp@gmail.com
did you leave registration open?
if something is accessible across the net SOMEONE will find it
Thanks for the reply.
I don’t remember changing about the behavior of registering. I didn’t believe that someone would find my server so fast. Less than two weeks. Is Gitea a beacon broadcasting the existence of the server? This sounds like a security flaw. As much as I leave registration open, no one should find it that fast. As I said, it is not registered in any search engine. And it’s an IP, not an address.
Cheers.
not a security flaw, the web is full of script kiddies… 1-2 weeks for a machine with an accessible IP is standard and once an IP is known people/scripts will ping it to find what ports are open and then try to break in.
So people finding your machine by just the IP isn’t a security flaw, its what everyone has to contend with. Now how someone was able to register… 99.999% sure public registration will be enabled (its enabled by default) Config Cheat Sheet | Gitea Documentation
Please check your app.ini to see if DISABLE_REGISTRATION is set to TRUE
Thanks for the clarification.