this post was submitted on 13 Nov 2023
5 points (100.0% liked)

Self-Hosted Main

21 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
 

Like, I hear all the time that you shouldn't open any ports on your networks fire wall for security reasons this and security reasons that. But what are the actual security implications/risks of forwarding a port for something like Jellyfin or a Minecraft server or something like that? Explain like im 16 (or something)

you are viewing a single comment's thread
view the rest of the comments
[–] boblin@infosec.pub 4 points 1 year ago

An open port is like a door on a building. It allows people from outside (the Internet) to go to the attached room on the inside (the service you're exposing).

Now is that's the only room in the building (the computer is not used for anything else), and the building is alone in the middle of an island with no land access (the computer is separated from the network, like in a DMZ) then the second worst thing an attacker can do is squat in in and rifle through your papers (the configuration files). The worst thing they can do however is start using your address and the utilities you paid for to start some unsavoury business (make it part of a botnet).

But if the server is not segregated from the rest of your network, they'll start running into other rooms/buildings, getting their hands at anything they can. Your accounts, your identity, etc. You'll be living in a really bad neighborhood, being shaken down for everything you have at every corner.

Now for the type of door you're putting on a building: if you just port forward it'll be like a screen door. It keeps the bugs out, but any person can open it with ease or crash through it, and they can see what's inside by just standing in front of it (server fingerprinting). If the services you run have a vulnerability it will be exploited. If you don't have a firewall or intrusion detection it'll be like putting a combination lock on the door and never checking if someone is trying all the numbers. The attackers WILL just keep trying until they succeed, and they're really fast at it.

So it's not like you should never put a door on a building, but the door should be reasonably secure, with the appropriate strength, deadbolt, and depending on what you run a receptionist (reverse proxy) and security guard.