Is it safe to open a forgejo git ssh port in my router? - eviltoast

Hello all! Yesterday I started hosting forgejo, and in order to clone repos outside my home network through ssh://, I seem to need to open a port for it in my router. Is that safe to do? I can’t use a vpn because I am sharing this with a friend. Here’s a sample docker compose file:

version: "3"

networks:
  forgejo:
    external: false

services:
  server:
    image: codeberg.org/forgejo/forgejo:7
    container_name: forgejo
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - FORGEJO__database__DB_TYPE=postgres
      - FORGEJO__database__HOST=db:5432
      - FORGEJO__database__NAME=forgejo
      - FORGEJO__database__USER=forgejo
      - FORGEJO__database__PASSWD=forgejo
    restart: always
    networks:
      - forgejo
    volumes:
      - ./forgejo:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "3000:3000"
      - "222:22" # <- port 222 is the one I'd open, in this case
    depends_on:
      - db

  db:
    image: postgres:14
    restart: always
    environment:
      - POSTGRES_USER=forgejo
      - POSTGRES_PASSWORD=forgejo
      - POSTGRES_DB=forgejo
    networks:
      - forgejo
    volumes:
      - ./postgres:/var/lib/postgresql/data

And to clone I’d do

git clone ssh://git@<my router ip>:<the port I opened, in this case 222>/path/to/repo

Is that safe?

EDIT: Thank you for your answers. I have come to the conclusion that, regardless of whether it is safe, it doesn’t make sense to increase the attack surface when I can just use https and tokens, so that’s what I am going to do.

  • Guadin@k.fe.derate.me
    link
    fedilink
    arrow-up
    2
    arrow-down
    2
    ·
    edit-2
    5 months ago

    If your forgejo host needs to connect to the outside world, you can open the port for incomming traffic only for related and established traffic. That way when somebody wants to connect to your port as a new connection it will fail. So when somebody has bad intentions, it will not work unless you’ve already connected to them in the first place. You need to permit outgoing traffic from forgejo if you block outgoing traffic.

    • gurapoku@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      I see, only allowing established traffic to connect sounds like something that could work. But I don’t know how I can do this, do you have some pointers :)?

      Blocking outgoing traffic and having to whitelist forgejo seems a bit extreme though

      • Guadin@k.fe.derate.me
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        Blocking outgoing traffic isn’t needed. But was mere a headsup if that is something you’ve alread setup. What router do you have? Usually when you open a port there is a dropdown menu or checkboxes for what kind of connection the port opening is allowed.

        • gurapoku@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          I’d rather not say which router I have since it would reveal quite a bit of information about me. However, I do know that the connections that my router allows are tcp and udp