Comment on What's the real danger of opening ports?
skankhunt42@lemmy.ca 3 weeks ago
It’s not so much about the ports, its about what you’re running that’s accessible to the public.
If you have a single website on 443 and SSH on 22 (or a non-standard port like 6543) you’re generally considered safe. This is 2 services and someone would need to attack one of the two to get in.
If you have a VPN on 4567 and everything behind the VPN then someone would need to hack the VPN to get in.
If you have 100 different things behind 443 then someone just needs to find a hole in one to get in.
Generally ssh, nginx, a VPN are all safe and they should be on their own ports.
Everything you expose is fine until somebody finds a zero day.
Everything these days is being built from a ton of publically maintained packages. All it takes is for one of those packages to fall into the wrong hands and get updated which happens all the time.
If you’re going to expose web yourself, use anubus and fail2ban
Put everything that doesn’t absolutely need to be public open behind a VPN.
Keep all of your software updated, constant vigilance.
sfjvvssss@lemmy.world 3 weeks ago
Sorry to nitpick but I feel like beimg precise here is important. Nginx is a project, ssh a protocol and VPN an overlay network, so more of a concept. All 3 can be run somewhere on the spectrum between quite secure and super insecure. Also safe and secure are two different things, I guess you meant secure so no big deal.