Is port forwarding dangerous inherently?
I had an argument with a person a while back when I proposed we forward port 12xyz to an internal SSH server.
The target server was tied down in a manner similar to the one recommended by @stribika at https://stribika.github.io/2015/01/04/secure-secure-shell.html. Specifically, no root access, public key authentication only, non-standard ssh port, high-quality ciphers, kex, and, macs.
I was arguing that the forwarded port was not inherently dangerous in itself, and that the safety was dependant on the service at the target port. I maintained my method was a perfectly secure way to gain remote access. He vehemently argued that it was not, stating that a VPN tunnel is the only safe way to achieve remote access. So i want to confirm here. Is port forwarding dangerous?
“Is port forwarding dangerous?” Forwarding ports is NOT inherently dangerous in itself and YES the safety is dependant on the service at the target port. But safety also depends on how good is your router's firewall and how well it is protected, both internally as well as externally.
If you want ro access remotely, both SSH and VPN works as good as each other. Neither is more secure than the other when similar levels of encryption are used. But since SSH works at application level, supports only TCP and provides remote access to a single computer only I would prefer VPN tunnelling which in fact works at the transport layer, supports both UDP and TCP and allows secure access to multiple resources. VPN tunnel is NOT the only safe way to achieve remote access, but definitely the preferred way due to the above reasons. Not to mention SSH is really difficult to implement properly in case of multiple resources, can cause DNS leaks and has to be configured separately for each application.
Is port forwarding dangerous? Port forwarding usually means leaving a gap in your security. This can potentially be dangerous because hackers could also use this to penetrate your network. That’s why most websites won’t recommend you to open ports if you don’t know what you’re doing.