For a time, I hosted a Dedicated Gaming Server for my friends and I to play on. Of course, making the server available outside of my own LAN required my forwarding certain ports to the server in question, thereby exposing it to external forces.
As I become more security conscious, I find myself questioning these sorts of commonplace network modifications. Spending some time observing the alert logs for Suricata in particular was eye-opening for me. It made me realize the extent to which my network was being regularly bombarded and probed by the internet at large.
In an ideal world, a vigilant user would never open a single port in their firewall; but of course this isn’t practical. In situations where I must expose a port (such as the example of my dedicated game server) how do I maintain best practices, allowing incoming connections while providing a modicum of security for my home network?
In addition to the larger question of port security / port hardening, I have a few questions about the specific of how open ports work:
1. Does an open port only provide access to the application listening on that port? 2. What damage can be done given an open port with no services or applications listening on it? 3. Does an open port expose all services operating within my LAN?
so port forwarding only opens the port to the IP you specify on that port, there is not really any damage im aware of from a unoccupied ip. the only way a port forward would expose the rest of your network is if they can exploit the service and use it to roam on your network.
So if for example I had port 22 being forwarded to one of my servers for SSH, they could potentially crack the password and use that shell to access the rest of my network?
So opening a port isn’t just like punching a hole through my firewall that allows baddies to peek inside then?
yes i would never allow ssh to traverse the open internet period but defiantly not on just a password, ssh keys are the way to go. since ssh can be used as a proxy, Port Forwarding only punches a very specific hole in your firewall to the intended service assuming it is not compromised
So would there be any danger in for example forwarding a random port to the internal IP of my daily driver PC, but not have any particular application listening there? To extend my example of a game server, that would be equivalent to shutting down the running game service but not disabling the port forwarding.
Does port hardening just entail providing proper security for the application running on the port then? Like how you said use certs not passwords on SSH?
Also, what would be the alternative to letting SSH traverse the open internet?
Right using keys is one way to harden the port, your reducing the attack surface. you can also use something like a pfblocker to deny traffic from places you don’t want to have direct access to the service. as for SSH for me personally i pass ssh thru my vpn which requires 2 different certs, 1 tls key, and user credentials. i have a user who needs access to ssh i just specified the source ip for his network so its only open to him without access to my vpn.
Gotcha. So what are my options for games, and other applications that don’t have that kind of built in security features?
I already use pfBlocker to block incoming connections from outside North America. I know I could, as you said, limit access by IP, but that would require significant upkeep of IP addresses in my situation. I also have Suricata monitoring for suspicious traffic, and the server I plan to use is on a virtual network separate from the one I use for my personal devices. Is that the best I could hope for in terms of reducing my attack surface?
i mean short of having a separate machine on a different network that is not allowed to go into your LAN. you pretty much have as much hardening as you do as far as im aware of. that does not stop them from compromising the program but it does reduce the collateral if s#@! were to hit the fan assuming your machines also there firewalls up there is not much for them to find on that network besides other things that for the most part are publicly accessible anyway
