Like, I hear all the time that you shouldn’t open any ports on your networks fire wall for security reasons this and security reasons that. But what are the actual security implications/risks of forwarding a port for something like Jellyfin or a Minecraft server or something like that? Explain like im 16 (or something)

  • billiarddaddy@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    That depends on the port/service you’re forwarding.

    It also depends on your ISP if they filter some standard ports.

    Non-standard ports can obfuscate your service, prevents it from being detected by crawlers and bots.

    Start small and don’t ignore security standards.

    Patch your stuff. Use common sense.

  • winston198451@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    A lot of great and valuable replies here so far. I’ll add my comments anyway.

    I have learned over the years of selfhosting/homelabbing and being an IT professional that as u/emprahsFury stated,

    Oftentimes though people don’t know what they don’t know, and we only find out that we don’t know after we’ve moved from the prevention phase to the remediation phase.

    I have seen this for years professionally. Unless you think like the bad guy, you don’t know what the bad guy is thinking. Not knowing what the bad guy is thinking does not mean that the techniques and possibilities do not exist.

    Taking some time to learn what the bad guys can do can be very helpful to the self-hoster in general.

  • bmelancon@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    As others have said, if you don’t fully understand the implications of opening a port, you shouldn’t open a port. Use something like TailScale or ZeroTier. You’ll still be able to access your services but you don’t need to open any ports.

  • beagle_bathouse@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Exposing your software to the internet resulting in initial access via:

    1. Vulnerabilities being exploited (either 0 day or unpatched)

    2. Credential stuffing or brute forcing credentials

    Then depending on the vulnerability or account compromised, access to your home network where they can move laterally and install ransomware, serve spam emails or links, or mine bit coin. These are the most common scenarios.

    Best practice is to not expose ports for this reason.

  • boblin@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    An open port is like a door on a building. It allows people from outside (the Internet) to go to the attached room on the inside (the service you’re exposing).

    Now is that’s the only room in the building (the computer is not used for anything else), and the building is alone in the middle of an island with no land access (the computer is separated from the network, like in a DMZ) then the second worst thing an attacker can do is squat in in and rifle through your papers (the configuration files). The worst thing they can do however is start using your address and the utilities you paid for to start some unsavoury business (make it part of a botnet).

    But if the server is not segregated from the rest of your network, they’ll start running into other rooms/buildings, getting their hands at anything they can. Your accounts, your identity, etc. You’ll be living in a really bad neighborhood, being shaken down for everything you have at every corner.

    Now for the type of door you’re putting on a building: if you just port forward it’ll be like a screen door. It keeps the bugs out, but any person can open it with ease or crash through it, and they can see what’s inside by just standing in front of it (server fingerprinting). If the services you run have a vulnerability it will be exploited. If you don’t have a firewall or intrusion detection it’ll be like putting a combination lock on the door and never checking if someone is trying all the numbers. The attackers WILL just keep trying until they succeed, and they’re really fast at it.

    So it’s not like you should never put a door on a building, but the door should be reasonably secure, with the appropriate strength, deadbolt, and depending on what you run a receptionist (reverse proxy) and security guard.

  • Bulky_Construction51@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Also be aware that an exposed port that has an application responding to requests can give information that might reveal weaknesses (for example old versions with available exploits).

    I know Minecraft was very exploitable earlier, I guess with that specific version an attacker would still be able to get access to your machine in some cases.

    So port forwarding is like unlocking a door. As long as the stuff inside the door knows how to handle unwanted guests then no problem. But the challenge, as others have mentioned, is to make sure you actually know everything is secure.

  • rayjaymor85@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Port forwarding itself is not inherently dangerous; in much the same way that jumping out of a window is not inherently dangerous. But obviously it is risky.

    If you know what you’re doing and mitigate the risk, jumping out of a window onto say a soft landing or a ground floor window is not a problem.

    Anyone hosting websites or services either at home or in a datacenter do it all the time.

    The dangerous part is if someone can do with that forwarded port if the service it’s attached to can be used to gain access to something else on the network.

    Usually done by figuring out what you are running, and then exploiting a CVE to get in and then get access to the rest of your network that way.

    So as an example I have a VM with Google Cloud that is running my website. If someone does manage to hack it, well, who cares - it’s just a VM running that simple LAMP stack.

    If I had that same website on my home network, and it can access my home NAS, well if it turns out there’s a vulnerability I didn’t account for then technically someone can take over that VM and hop into my NAS and do damage there.

  • bufandatl@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    The problem is a lot of people here are beginners and have no real clue about network security. And opening a port is opening a door. If you have a bouncer that clears people beforehand then you can keep the door open. But you will still need to keep your bouncer trained so he can take care of people you don’t want. Same with software. Keep it updated and have security enhancements in place like 2FA and analysis tools like crowdsec or fail2ban. And the open port might not an issue at all.

    But if you open a device like a NAS (cough QNAP cough) then you have a higher security risk.

    TLDR; if you know what you are doing it might not have implications.

  • Mephidia@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    You’re allowing random people to access those services. Jellyfin almost definitely has a 0 day exploit so anyone who has access would potentially be able to use that on you. I would wager burning a 0 day on a random is probably not gonna be happening but also the odds of a random realizing they’ve been hacked is pretty low too so you never really know.

  • dmdeemer@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I’ll repeat a reply I made as a top-level comment, as I think it’s a useful analogy:

    Opening a port is like installing a door in what was a brick wall in a back alley, then leaving it unattended while people might try to pick the lock. Unfortunately, the internet is a crime-ridden neighborhood, and that lock will be tested, likely within minutes.

    The “door” in this analogy is a port forward on your router, and the “lock” is whatever security is provided by the service you expose on that port. Some services are battle-tested and more trustworthy than others, but nearly everything has a bug in it somewhere.

    I no longer leave any ports open, other than just one for Wireguard. Wireguard in general won’t reply to unauthenticated packets at all, so it’s essentially an invisible door. I can’t speak to OpenVPN, it may or may not behave similarly. Leaving an SSH server visible is an invitation for automated password-guessing.

  • TheRealNetroxen@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I won’t reiterate what people have already said. What I will note, is that if you’re exposing a port for an application, you should probably in most instances be proxying it through your webserver with the appropriate mitigations to common attack vectors. This could be something as simple as a deny_all or as thorough as CORS/CSRF checking. However in all instances, this will at least prevent you from exposing ports externally.

    If you want an additional layer of security, use a gateway to redirect traffic to your webserver.