The is no such thing as “being secure” or “being insecure” in absolute. Everything depends on context/usage, and thread model. The most secure thing is to not use computers at all, especially computers connected to the internet.
Now, why do you need to have some ports opened/forwarded ? When you own a server, you want people to be able to connect to it, either to consult public web pages, or to fetch their private emails for instance. Therefore you need a door that programs can knock on, saying “Please show me the homepage of this website!”, or “I’m here to check my emails ! I am johndoe and my password is ****”. Those doors are the ports, and each of them handle different protocols (the numbers of the ports are basically completely arbitrary)
Opening ports, is, imho, in itself not insecure. But you could suspect that “the programs answering the door” (i.e. the web server, the mail server…) are not 100% " " " secure " " ", which just doesn’t mean anything by itself. But basically you think of it as :
- the program could contain governement backdoors,
- the web server is improperly configured such that an attacker could access some private info,
- the application being served by the web server is itself not coded/programmed securely such that an attacker could access some private info - or worse, gain access to your server and compromise it entirely ,
- an attacker could try to bruteforce the password you use to login, therefore getting access to your server and compromise it entirely,
- ???,
- ???,
- …
So what shall you do knowing all this ? Well imho you can’t really help with governmental backdoors if they exist, you can just donate to all the project you can such that they can hopefully be security audited. About the second item, it is a bit more closer to YunoHost and you can both try to trust us on what we are doing in term of service configuration, and donate to the project so we may also be one day be able to audit things …
The next two items are a bit more concrete : e.g. you may install an app that is badly coded and therefore can be exploited (“hacked” (sigh)) by an attacker to gain access to your server. There is no clear and definite countermeasure to this, except taking care to not install anything looking suspicious. Which leads to the question “what is suspicious”, but basically, try to not install badly-reputed apps such as wordpress or phpmyadmin - and if you do DO NOT install plugins from random places. This is how people get compromised this way (typically some plugins are cheese with big holes, vulnerabilities get known then are exploited automatically by bots)
The last item is the most “easy” to implement a countermeasure for : you can create a program that analyzes failed login attempts, and block such attempts if you are detecting someone trying to bruteforce. YunoHost comes installed with fail2ban which does that on various things (web interface, email, ssh, …).
But of course, the “defended surface” may never equal the “attack surface” of your server. There are unknown attack surface which might not have been taken into account yet.
So to finally answer the question :
- Is opening ports secure ? No, it is not. And connecting to the internet is neither.
But a more pragmatic question to ask is to ask is “Does my server implements basic defense mechanism against automatic attack, and do I respect basic security principle (e.g. having strong password) ?”
And for everything else I invite you to read this other post : How to secure guide for noob since I could be spending a whole week discussing security while in fact not being a security expert at all 