Is it safe to open a forgejo git ssh port in my router?
Hello all! Yesterday I started hosting forgejo, and in order to clone repos outside my home network through ssh://, I seem to need to open a port for it in my router. Is that safe to do? I can’t use a vpn because I am sharing this with a friend. Here’s a sample docker compose file:
<span style="color:#323232;">version: "3"
</span><span style="color:#323232;">
</span><span style="color:#323232;">networks:
</span><span style="color:#323232;"> forgejo:
</span><span style="color:#323232;"> external: false
</span><span style="color:#323232;">
</span><span style="color:#323232;">services:
</span><span style="color:#323232;"> server:
</span><span style="color:#323232;"> image: codeberg.org/forgejo/forgejo:7
</span><span style="color:#323232;"> container_name: forgejo
</span><span style="color:#323232;"> environment:
</span><span style="color:#323232;"> - USER_UID=1000
</span><span style="color:#323232;"> - USER_GID=1000
</span><span style="color:#323232;"> - FORGEJO__database__DB_TYPE=postgres
</span><span style="color:#323232;"> - FORGEJO__database__HOST=db:5432
</span><span style="color:#323232;"> - FORGEJO__database__NAME=forgejo
</span><span style="color:#323232;"> - FORGEJO__database__USER=forgejo
</span><span style="color:#323232;"> - FORGEJO__database__PASSWD=forgejo
</span><span style="color:#323232;"> restart: always
</span><span style="color:#323232;"> networks:
</span><span style="color:#323232;"> - forgejo
</span><span style="color:#323232;"> volumes:
</span><span style="color:#323232;"> - ./forgejo:/data
</span><span style="color:#323232;"> - /etc/timezone:/etc/timezone:ro
</span><span style="color:#323232;"> - /etc/localtime:/etc/localtime:ro
</span><span style="color:#323232;"> ports:
</span><span style="color:#323232;"> - "3000:3000"
</span><span style="color:#323232;"> - "222:22" # <- port 222 is the one I'd open, in this case
</span><span style="color:#323232;"> depends_on:
</span><span style="color:#323232;"> - db
</span><span style="color:#323232;">
</span><span style="color:#323232;"> db:
</span><span style="color:#323232;"> image: postgres:14
</span><span style="color:#323232;"> restart: always
</span><span style="color:#323232;"> environment:
</span><span style="color:#323232;"> - POSTGRES_USER=forgejo
</span><span style="color:#323232;"> - POSTGRES_PASSWORD=forgejo
</span><span style="color:#323232;"> - POSTGRES_DB=forgejo
</span><span style="color:#323232;"> networks:
</span><span style="color:#323232;"> - forgejo
</span><span style="color:#323232;"> volumes:
</span><span style="color:#323232;"> - ./postgres:/var/lib/postgresql/data
</span>
And to clone I’d do
<span style="color:#323232;">git clone ssh://git@<my router ip>:<the port I opened, in this case 222>/path/to/repo
</span>
Is that safe?
EDIT: Thank you for your answers. I have come to the conclusion that, regardless of whether it is safe, it doesn’t make sense to increase the attack surface when I can just use https and tokens, so that’s what I am going to do.