Like, I hear all the time that you shouldn’t open any ports on your networks fire wall for security reasons this and security reasons that. But what are the actual security implications/risks of forwarding a port for something like Jellyfin or a Minecraft server or something like that? Explain like im 16 (or something)

  • boblin@infosec.pub
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    An open port is like a door on a building. It allows people from outside (the Internet) to go to the attached room on the inside (the service you’re exposing).

    Now is that’s the only room in the building (the computer is not used for anything else), and the building is alone in the middle of an island with no land access (the computer is separated from the network, like in a DMZ) then the second worst thing an attacker can do is squat in in and rifle through your papers (the configuration files). The worst thing they can do however is start using your address and the utilities you paid for to start some unsavoury business (make it part of a botnet).

    But if the server is not segregated from the rest of your network, they’ll start running into other rooms/buildings, getting their hands at anything they can. Your accounts, your identity, etc. You’ll be living in a really bad neighborhood, being shaken down for everything you have at every corner.

    Now for the type of door you’re putting on a building: if you just port forward it’ll be like a screen door. It keeps the bugs out, but any person can open it with ease or crash through it, and they can see what’s inside by just standing in front of it (server fingerprinting). If the services you run have a vulnerability it will be exploited. If you don’t have a firewall or intrusion detection it’ll be like putting a combination lock on the door and never checking if someone is trying all the numbers. The attackers WILL just keep trying until they succeed, and they’re really fast at it.

    So it’s not like you should never put a door on a building, but the door should be reasonably secure, with the appropriate strength, deadbolt, and depending on what you run a receptionist (reverse proxy) and security guard.

  • bufandatlB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    The problem is a lot of people here are beginners and have no real clue about network security. And opening a port is opening a door. If you have a bouncer that clears people beforehand then you can keep the door open. But you will still need to keep your bouncer trained so he can take care of people you don’t want. Same with software. Keep it updated and have security enhancements in place like 2FA and analysis tools like crowdsec or fail2ban. And the open port might not an issue at all.

    But if you open a device like a NAS (cough QNAP cough) then you have a higher security risk.

    TLDR; if you know what you are doing it might not have implications.

  • billiarddaddyB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    That depends on the port/service you’re forwarding.

    It also depends on your ISP if they filter some standard ports.

    Non-standard ports can obfuscate your service, prevents it from being detected by crawlers and bots.

    Start small and don’t ignore security standards.

    Patch your stuff. Use common sense.

  • TheRealNetroxenB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I won’t reiterate what people have already said. What I will note, is that if you’re exposing a port for an application, you should probably in most instances be proxying it through your webserver with the appropriate mitigations to common attack vectors. This could be something as simple as a deny_all or as thorough as CORS/CSRF checking. However in all instances, this will at least prevent you from exposing ports externally.

    If you want an additional layer of security, use a gateway to redirect traffic to your webserver.