My Gitea instance is being brute-forced just as I write this text:
gitea | Invalid user yinsen from 94.23.30.184 port 55154
gitea | Connection closed by invalid user yinsen 94.23.30.184 port 55154 [preauth]
gitea | Invalid user zhaoyy from 94.23.30.184 port 42294
gitea | Connection closed by invalid user zhaoyy 94.23.30.184 port 42294 [preauth]
gitea | Invalid user yangtingy from 94.23.30.184 port 57666
gitea | Connection closed by invalid user yangtingy 94.23.30.184 port 57666 [preauth]
gitea | Invalid user haoxiaoshuai from 94.23.30.184 port 44806
gitea | Connection closed by invalid user haoxiaoshuai 94.23.30.184 port 44806 [preauth]
gitea | Invalid user adminuser from 94.23.30.184 port 60178
gitea | Connection closed by invalid user adminuser 94.23.30.184 port 60178 [preauth]
gitea | Invalid user adminuser from 94.23.30.184 port 47320
gitea | Connection closed by invalid user adminuser 94.23.30.184 port 47320 [preauth]
gitea | Invalid user wangjue from 94.23.30.184 port 34458
gitea | Connection closed by invalid user wangjue 94.23.30.184 port 34458 [preauth]
gitea | Invalid user jmms from 94.23.30.184 port 49830
gitea | Connection closed by invalid user jmms 94.23.30.184 port 49830 [preauth]
gitea | Invalid user user42 from 94.23.30.184 port 36970
gitea | Connection closed by invalid user user42 94.23.30.184 port 36970 [preauth]
gitea | Invalid user huwanfeng from 94.23.30.184 port 52340
gitea | Connection closed by invalid user huwanfeng 94.23.30.184 port 52340 [preauth]
gitea | Invalid user lidongbo from 94.23.30.184 port 39480
gitea | Connection closed by invalid user lidongbo 94.23.30.184 port 39480 [preauth]
gitea | Invalid user market from 94.23.30.184 port 54852
gitea | Connection closed by invalid user market 94.23.30.184 port 54852 [preauth]
gitea | 2023/04/10 10:05:18 [6433c33e] router: completed GET /robots.txt for 172.24.0.37:59646, 200 OK in 0.3ms @ web/web.go:162(web.Routes)
gitea | Invalid user ldbc from 94.23.30.184 port 41992
gitea | Connection closed by invalid user ldbc 94.23.30.184 port 41992 [preauth]
gitea | Invalid user lsp from 94.23.30.184 port 57364
gitea | Connection closed by invalid user lsp 94.23.30.184 port 57364 [preauth]
gitea | Invalid user lihan from 94.23.30.184 port 44504
gitea | Connection closed by invalid user lihan 94.23.30.184 port 44504 [preauth]
gitea | Invalid user xingxiaoyang from 94.23.30.184 port 59876
gitea | Connection closed by invalid user xingxiaoyang 94.23.30.184 port 59876 [preauth]
gitea | Invalid user kishida from 94.23.30.184 port 47016
gitea | Connection closed by invalid user kishida 94.23.30.184 port 47016 [preauth]
gitea | Invalid user lrj from 94.23.30.184 port 34156
gitea | Connection closed by invalid user lrj 94.23.30.184 port 34156 [preauth]
gitea | Invalid user mgr from 94.23.30.184 port 49528
gitea | Connection closed by invalid user mgr 94.23.30.184 port 49528 [preauth]
gitea | Invalid user xiaojiwei from 94.23.30.184 port 36668
gitea | Connection closed by invalid user xiaojiwei 94.23.30.184 port 36668 [preauth]
gitea | Invalid user tim from 94.23.30.184 port 52040
gitea | Connection closed by invalid user tim 94.23.30.184 port 52040 [preauth]
gitea | Invalid user wxccvt from 94.23.30.184 port 39180
gitea | Connection closed by invalid user wxccvt 94.23.30.184 port 39180 [preauth]
gitea | Invalid user wangyanzhao from 94.23.30.184 port 54552
gitea | Connection closed by invalid user wangyanzhao 94.23.30.184 port 54552 [preauth]
gitea | Invalid user huangxuanxuan from 94.23.30.184 port 41692
gitea | Connection closed by invalid user huangxuanxuan 94.23.30.184 port 41692 [preauth]
gitea | Invalid user centos from 94.23.30.184 port 57064
gitea | Connection closed by invalid user centos 94.23.30.184 port 57064 [preauth]
gitea | Invalid user gvtiib from 94.23.30.184 port 44204
gitea | Connection closed by invalid user gvtiib 94.23.30.184 port 44204 [preauth]
gitea | Invalid user keras from 94.23.30.184 port 59576
gitea | Connection closed by invalid user keras 94.23.30.184 port 59576 [preauth]
gitea | Invalid user cyh from 94.23.30.184 port 46716
gitea | Connection closed by invalid user cyh 94.23.30.184 port 46716 [preauth]
gitea | Invalid user jp from 94.23.30.184 port 33856
gitea | Connection closed by invalid user jp 94.23.30.184 port 33856 [preauth]
gitea | Invalid user tengwen from 94.23.30.184 port 49228
gitea | Connection closed by invalid user tengwen 94.23.30.184 port 49228 [preauth]
gitea | User nobody not allowed because account is locked
gitea | Connection closed by invalid user nobody 94.23.30.184 port 36368 [preauth]
gitea | Invalid user user06 from 94.23.30.184 port 51740
gitea | Connection closed by invalid user user06 94.23.30.184 port 51740 [preauth]
Those messages pop up around every 6~7 seconds. I came across this by accident after just rebooting my Gitea docker container.
I already set sudo ufw deny from 94.23.30.184 to any, however the requests keep going through.
- Why do the requests keep coming even after setting ufw to deny any access by this very ip?
- How do I backtrack the IP to find out who wants to brute-forcely attack my Gitea instance?
- What can I do to secure my server from this kind of attacks?
