700+ self-hosted Git instances battered in 0-day attacks
www.theregister.com
: More than half of internet-exposed instances already compromised

By ‘Git instances’ they mean Gogs instances that allow open registration. I know most of the community moved from Gogs to Gitea, and then to Forgejo, but thought this was still worth noting.

  • ITGuyLevi@programming.devEnglish
    2·
    1 day ago

    I keep mine accessible from the internet, its just more useful to me like that. I do have registration disabled though and SSO is handled by Authentik so it could be worse (my personal goal has just been to not be the easiest target, perfect security is a myth in my mind).

    • Jason2357@lemmy.caEnglish
      2·
      7 hours ago

      Theres a HUGE difference between hosting it essentially read-only to the world, vs allowing account creation, uploading, and processing unknown files by the server.

      I have thought of blocking access to the commit history pages at the reverse proxy to cut off 99% of the traffic from bots. If anyone wants to look at the history, its just a git clone away.

      • ITGuyLevi@programming.devEnglish
        1·
        2 hours ago

        I could, but then I would have issues getting to it from work; from the bit I’ve read about mTLS, it’s not really indended for my use case, I think I’ll just stick with TLS.