Think of a computer system as a massive apartment complex. Each apartment complex has numerous doors, windows, and mail slots. These are essentially pathways through which people (or in this case, data) can come in or go out. In the computer realm, these "pathways" are called ports.
Just as every apartment has a specific door number, every port has a specific number, too. For example, you'd say, "I live in apartment #303." In the digital world, services on a computer say, "I'm listening on port 22 for SSH" or "I'm listening on port 80 for HTTP."
Now, just as you wouldn't want all your doors and windows open for any stranger to walk in, you also don't want all ports open. Some are reserved for specific tasks like sending emails, others for web browsing, and some for file transfers. By controlling which ports are open and which are closed, you regulate the traffic coming in or going out, just like a security guard at the apartment gate deciding who gets to enter.
It's all about ensuring that the pathways or doors through which data flows are secure and aren't allowing any unwanted guests (malicious entities) inside!
In the online world, it was never even a good idea to expose some ports to the public. Every port that's exposed is essentially an "open door" or a potential entry point for malicious entities. By narrowing down the exposed ports and restricting them, you're essentially limiting the doors through which attackers can try to enter.
Let’s take a few common ports as examples:
Port 22 - SSH (Secure Shell)
Why not expose? This is the port used to remotely administer a system. If left open, malicious actors can attempt brute force attacks to gain unauthorized access to your system.
But, I need SSH access! Indeed you might! But instead of leaving it open to the entire world, restrict access to only known IP addresses (like your home or office). You could also consider changing the port from the default 22 to something less common to deter automated scans.
Port 23 - Telnet
Why not expose? Unlike SSH, Telnet is NOT encrypted. Anyone who's sniffing the network can read everything you send, including passwords.
The better alternative? If remote access is necessary, use SSH instead.
Port 1433 - Microsoft SQL Server
Why not expose? This is where your database lives, and unless you want every script kiddie trying their latest SQL injection tricks on your database, keep it closed.
How to access it securely? Use a VPN or a dedicated bastion host to access databases, and never expose them directly to the internet.
Port 3389 - RDP (Remote Desktop Protocol)
Why not expose? RDP lets you remotely control Windows machines. Exposing this port can attract attackers looking to exploit various RDP vulnerabilities.
The secure path? If you must use RDP from a remote location, consider setting up a VPN or use AWS’s Session Manager for secure access.
Port 80 - HTTP
Why not expose? While HTTP itself isn't inherently bad, it's not encrypted. This means data sent or received can be intercepted and read by others.
A better choice? Always prefer HTTPS (Port 443) for serving web content, which encrypts the data.
Port 445 - SMB (Server Message Block)
Why not expose? SMB is used for file sharing. Exposing it could not only lead to data theft but also the spread of malware, especially if vulnerabilities are present.
Safe sharing? If you need file sharing, ensure it's only available within a trusted network, never exposed to the entire internet.