ampersandrewMar 5

Hi, Mastodon. I'm looking for some help with #selfhosted #homelab stuff; a jumping-off point for me to research from.

I keep hearing that it's a big security no-no to just forward ports to the relevant servers, but I don't really comprehend why; I used to port forward for game servers all the time. Can anyone scare me straight?

1/2

Show threadAndrewMar 5
@ampersandrew Port forwarding puts your computer directly on the open internet for everyone to see. With Jellyfin or Matrix, a vulnerability or weak password could mean someone gets your media, credentials, or even into your network. In my experience, anything on the open web gets RELENTLESSLY probed for openings. There's always someone somewhere in the world scanning huge ranges of IPs in search of something vulnerable they can exploit.
Show threadampersandrewMar 5
@Andrew Aren't I always on the open internet for everyone to see? Isn't my IP address logged in countless places every day? I'm not trying to be argumentative, since everyone seems pretty unified in this being a bad idea, but it still hasn't clicked yet as to why.
Show threadAndrew
@ampersandrew
Sure, but websites passively logging you as a passerby is very different than setting up shop with a billboard on top inviting everyone to look for openings or vulnerabilities
Mar 5 at 2:25pmWeb
Show threadampersandrewMar 5
@Andrew Fair enough. I guess self hosting video game servers is far less common these days, but does this same problem exist in that space too? Is a forwarded port only a problem if the server it's pointed to is running? In other words, if I forwarded port 12345 to a computer hosting Shoot Stuff 3, but the server binary isn't currently running, is that a security problem at that moment? What if the port is forwarded but the computer itself isn't on, and only my router is?
Show threadAndrewMar 5
@ampersandrew that's a fair point - if it's not online then there's no risk at that moment. I'd still be worried that it gets probed and logged quickly when you're online, and then if a vulnerability with your setup is ever publicized then you're a sitting duck next time you go online. I imagine its low risk if you keep everything updated but I don't really want to test it!