Is opening ports secure?

I love yunohost and love to be able to have my own website/nextcloud instalation. However, I’ve been told that having open ports on my home router (which is where I have everything hosted) is completely unsecure and that I should totally not do it, as it can compromise all the devices on my home conection. Is that true? What are the measures taken by yunohost to protect the system / is there anything I can do to protect it more? I’ve read the security section, but it only talks about the SSH port, which I have not opened as I dont need access to it from the outside.

The is no such thing as “being secure” or “being insecure” in absolute. Everything depends on context/usage, and thread model. The most secure thing is to not use computers at all, especially computers connected to the internet.

Now, why do you need to have some ports opened/forwarded ? When you own a server, you want people to be able to connect to it, either to consult public web pages, or to fetch their private emails for instance. Therefore you need a door that programs can knock on, saying “Please show me the homepage of this website!”, or “I’m here to check my emails ! I am johndoe and my password is ****”. Those doors are the ports, and each of them handle different protocols (the numbers of the ports are basically completely arbitrary)

Opening ports, is, imho, in itself not insecure. But you could suspect that “the programs answering the door” (i.e. the web server, the mail server…) are not 100% " " " secure " " ", which just doesn’t mean anything by itself. But basically you think of it as :

  • the program could contain governement backdoors,
  • the web server is improperly configured such that an attacker could access some private info,
  • the application being served by the web server is itself not coded/programmed securely such that an attacker could access some private info - or worse, gain access to your server and compromise it entirely ,
  • an attacker could try to bruteforce the password you use to login, therefore getting access to your server and compromise it entirely,
  • ???,
  • ???,

So what shall you do knowing all this ? Well imho you can’t really help with governmental backdoors if they exist, you can just donate to all the project you can such that they can hopefully be security audited. About the second item, it is a bit more closer to YunoHost and you can both try to trust us on what we are doing in term of service configuration, and donate to the project so we may also be one day be able to audit things …

The next two items are a bit more concrete : e.g. you may install an app that is badly coded and therefore can be exploited (“hacked” (sigh)) by an attacker to gain access to your server. There is no clear and definite countermeasure to this, except taking care to not install anything looking suspicious. Which leads to the question “what is suspicious”, but basically, try to not install badly-reputed apps such as wordpress or phpmyadmin - and if you do DO NOT install plugins from random places. This is how people get compromised this way (typically some plugins are cheese with big holes, vulnerabilities get known then are exploited automatically by bots)

The last item is the most “easy” to implement a countermeasure for : you can create a program that analyzes failed login attempts, and block such attempts if you are detecting someone trying to bruteforce. YunoHost comes installed with fail2ban which does that on various things (web interface, email, ssh, …).

But of course, the “defended surface” may never equal the “attack surface” of your server. There are unknown attack surface which might not have been taken into account yet.

So to finally answer the question :

  • Is opening ports secure ? No, it is not. And connecting to the internet is neither.

But a more pragmatic question to ask is to ask is “Does my server implements basic defense mechanism against automatic attack, and do I respect basic security principle (e.g. having strong password) ?”

And for everything else I invite you to read this other post : How to secure guide for noob since I could be spending a whole week discussing security while in fact not being a security expert at all :wink:

2 Likes

To complete, you can also click on an email on your desktop browser open a shared document running a virus that create a VPN connection and exposed by this simple click (and probably authorization) all your local network…

So closing port is a solution but it’s not totaly secure.

If you are afraid of opening your ports on your box. You can decide to isolate your local network with a dedicated router (=box) like this:

BOX of your ISP with PORT forwarding to your server ---------- YOUR SERVER
                |
                |
  A ROUTEUR CONFIGURED WITH NAT (like a box)
           |                   |
   computer 1           computer 2

Like that, even if your server is compromized your local network is not directly exposed.

2 Likes

Leaving this for the record just in case somebody wants to try and do the same. My ISP, Telefónica (Movistar) offers a web interface through which you can open/close router ports without being on the local network. So what I’m going to do is leave all ports closed and yunohost only on local, and, if I need to access files/show off yunohost to others from outside my home, I’ll just open the ports remotely. That way I keep security while having access to my raspi whenever I want