Like, I hear all the time that you shouldn’t open any ports on your networks fire wall for security reasons this and security reasons that. But what are the actual security implications/risks of forwarding a port for something like Jellyfin or a Minecraft server or something like that? Explain like im 16 (or something)
Also be aware that an exposed port that has an application responding to requests can give information that might reveal weaknesses (for example old versions with available exploits).
I know Minecraft was very exploitable earlier, I guess with that specific version an attacker would still be able to get access to your machine in some cases.
So port forwarding is like unlocking a door. As long as the stuff inside the door knows how to handle unwanted guests then no problem. But the challenge, as others have mentioned, is to make sure you actually know everything is secure.
Port forwarding itself is not inherently dangerous; in much the same way that jumping out of a window is not inherently dangerous. But obviously it is risky.
If you know what you’re doing and mitigate the risk, jumping out of a window onto say a soft landing or a ground floor window is not a problem.
Anyone hosting websites or services either at home or in a datacenter do it all the time.
The dangerous part is if someone can do with that forwarded port if the service it’s attached to can be used to gain access to something else on the network.
Usually done by figuring out what you are running, and then exploiting a CVE to get in and then get access to the rest of your network that way.
So as an example I have a VM with Google Cloud that is running my website. If someone does manage to hack it, well, who cares - it’s just a VM running that simple LAMP stack.
If I had that same website on my home network, and it can access my home NAS, well if it turns out there’s a vulnerability I didn’t account for then technically someone can take over that VM and hop into my NAS and do damage there.
An open port is like a door on a building. It allows people from outside (the Internet) to go to the attached room on the inside (the service you’re exposing).
Now is that’s the only room in the building (the computer is not used for anything else), and the building is alone in the middle of an island with no land access (the computer is separated from the network, like in a DMZ) then the second worst thing an attacker can do is squat in in and rifle through your papers (the configuration files). The worst thing they can do however is start using your address and the utilities you paid for to start some unsavoury business (make it part of a botnet).
But if the server is not segregated from the rest of your network, they’ll start running into other rooms/buildings, getting their hands at anything they can. Your accounts, your identity, etc. You’ll be living in a really bad neighborhood, being shaken down for everything you have at every corner.
Now for the type of door you’re putting on a building: if you just port forward it’ll be like a screen door. It keeps the bugs out, but any person can open it with ease or crash through it, and they can see what’s inside by just standing in front of it (server fingerprinting). If the services you run have a vulnerability it will be exploited. If you don’t have a firewall or intrusion detection it’ll be like putting a combination lock on the door and never checking if someone is trying all the numbers. The attackers WILL just keep trying until they succeed, and they’re really fast at it.
So it’s not like you should never put a door on a building, but the door should be reasonably secure, with the appropriate strength, deadbolt, and depending on what you run a receptionist (reverse proxy) and security guard.
You’re allowing random people to access those services. Jellyfin almost definitely has a 0 day exploit so anyone who has access would potentially be able to use that on you. I would wager burning a 0 day on a random is probably not gonna be happening but also the odds of a random realizing they’ve been hacked is pretty low too so you never really know.
The problem is a lot of people here are beginners and have no real clue about network security. And opening a port is opening a door. If you have a bouncer that clears people beforehand then you can keep the door open. But you will still need to keep your bouncer trained so he can take care of people you don’t want. Same with software. Keep it updated and have security enhancements in place like 2FA and analysis tools like crowdsec or fail2ban. And the open port might not an issue at all.
But if you open a device like a NAS (cough QNAP cough) then you have a higher security risk.
TLDR; if you know what you are doing it might not have implications.
A lot of great and valuable replies here so far. I’ll add my comments anyway.
I have learned over the years of selfhosting/homelabbing and being an IT professional that as u/emprahsFury stated,
Oftentimes though people don’t know what they don’t know, and we only find out that we don’t know after we’ve moved from the prevention phase to the remediation phase.
I have seen this for years professionally. Unless you think like the bad guy, you don’t know what the bad guy is thinking. Not knowing what the bad guy is thinking does not mean that the techniques and possibilities do not exist.
Taking some time to learn what the bad guys can do can be very helpful to the self-hoster in general.
That depends on the port/service you’re forwarding.
It also depends on your ISP if they filter some standard ports.
Non-standard ports can obfuscate your service, prevents it from being detected by crawlers and bots.
Start small and don’t ignore security standards.
Patch your stuff. Use common sense.
Explain like im 16 (or something)
One thing that people dont get is what firewall actually does - It blocks
- no open ports - cant get in, solid wall everywhere
- open ports - as if you put doors somewhere in the wall, depending on doors quality they can get in easily or not at all
That minecraft is a good example. You open port to it, people can join it, but depending on how you setup your minecraft server, if it has plugins that require registration and password to move around, well that either stop people from griefing or not.
Exposing your software to the internet resulting in initial access via:
-
Vulnerabilities being exploited (either 0 day or unpatched)
-
Credential stuffing or brute forcing credentials
Then depending on the vulnerability or account compromised, access to your home network where they can move laterally and install ransomware, serve spam emails or links, or mine bit coin. These are the most common scenarios.
Best practice is to not expose ports for this reason.
-
I won’t reiterate what people have already said. What I will note, is that if you’re exposing a port for an application, you should probably in most instances be proxying it through your webserver with the appropriate mitigations to common attack vectors. This could be something as simple as a deny_all or as thorough as CORS/CSRF checking. However in all instances, this will at least prevent you from exposing ports externally.
If you want an additional layer of security, use a gateway to redirect traffic to your webserver.
As others have said, if you don’t fully understand the implications of opening a port, you shouldn’t open a port. Use something like TailScale or ZeroTier. You’ll still be able to access your services but you don’t need to open any ports.
I’ll repeat a reply I made as a top-level comment, as I think it’s a useful analogy:
Opening a port is like installing a door in what was a brick wall in a back alley, then leaving it unattended while people might try to pick the lock. Unfortunately, the internet is a crime-ridden neighborhood, and that lock will be tested, likely within minutes.
The “door” in this analogy is a port forward on your router, and the “lock” is whatever security is provided by the service you expose on that port. Some services are battle-tested and more trustworthy than others, but nearly everything has a bug in it somewhere.
I no longer leave any ports open, other than just one for Wireguard. Wireguard in general won’t reply to unauthenticated packets at all, so it’s essentially an invisible door. I can’t speak to OpenVPN, it may or may not behave similarly. Leaving an SSH server visible is an invitation for automated password-guessing.
If you’re confident to expose a machine on a VPS and you can manage the implications then you can manage a machine in a DMZ of your NAT/Firewall home router.
If the server it’s a bare metal UNIX than you’re ok (i.e. *BSD || *Linux on a Raspberry Pi 4/5) , the basic install it’s better than Fort Knox
Port forwarding is like putting your apartment number and name on the door of the apartment complex, so someone coming would know which apartment to go.
This apartment is unlocked, it is the not “buzzing in kind”
So even if someone wants to break in and finds your door, the security and safety of your door what matters.
-–
Port forwarding in itself is “not” a security risk, if you are mindful, disable automatic port forwarding (uPnP) and open only the ports what is needed.
The security risks come from the softwares that listen to an opened port.
The internet itself is working on port forwarding, any website is port forwarded to the webserver on port 80,443 or 8080 by default. You are accessing a website right now. The security comes from the settings and safety of the webserver software itself. Whether it can be penetrated and access things that you are not supposed to.
-–
If you are considering opening a service to the world you should look up if that software has any security vulnerabilities.
Open source linux based software is better in this way, because many people tests the software and reports issues before it is released to stable version.
You can also bild your server in a way, where things are separated. Like having a webserver in a container.
The host is almost totally invisible from inside the container and it is nigh impossible (should be) to access the host computer other than the shared folders between host and container and you cannot navigate out of those folders.
-–
The most secure will always be a totally closed firewall. But letting trusted softwares to be accessed from outside is not much less insecure.
Do not trust what you see in movies, a “hacker” can’t just waltz into your network, unless your router and firewall has some serious security vulerabilities or god forbid, public facing backdoors
(some routers had some not so long ago, you should look up your own router for any news)