Is port-forwarding safe?

[KhakiHat]

(I'm not very quick at responding but I appreciate any insight, gotta work ya know)

*I'm in the assumption it isn't by default at the very least*

For some friends and myself, I port-forwarded a few ports so that I could host a few minecraft servers.

Outside of the general reserved ports, is there any other major security concerns I should be worrying about while just having ports somewhat open for a minecraft server of all things?

I noticed in my router logs that there has been numerous port-scans on my ip, but again assuming, I would guess that happens to everyone's ip at purely randomly moments regardless of a port being forwarded.

Any huge security concerns I should consider? And if so, ways of maybe not eliminating the security concerns but reducing it?(All while keeping the minecraft server up?)

Thanks in advance

[Agall]

7 minutes ago, KhakiHat said:

(I'm not very quick at responding but I appreciate any insight, gotta work ya know)

*I'm in the assumption it isn't by default at the very least*

For some friends and myself, I port-forwarded a few ports so that I could host a few minecraft servers.

Outside of the general reserved ports, is there any other major security concerns I should be worrying about while just having ports somewhat open for a minecraft server of all things?

I noticed in my router logs that there has been numerous port-scans on my ip, but again assuming, I would guess that happens to everyone's ip at purely randomly moments regardless of a port being forwarded.

Any huge security concerns I should consider? And if so, ways of maybe not eliminating the security concerns but reducing it?(All while keeping the minecraft server up?)

Thanks in advance

If you're worried, you can take every computer using that router/network and block the ports you've forward, to include on the host server excluding specifically the minecraft applications.

 

Otherwise, if I remember correctly, the minecraft server ports are 'relatively' safe. The above is the 'right' answer if you're worried. It just involves creating windows firewall allow+deny policies.

[Isuck Assimov]

it's probably advisable to configure a DMZ for the machines running the minecraft servers so it's a seperate network and your normal local network can stay behind the firewall without open ports.

I'm sure there are people here who can give better advice on the matter.

sadly, port forwarding can be an attack vector for potential bad actors if it's not configured properly afaik.
https://superuser.com/questions/561140/how-safe-is-port-forwarding-in-general

[KhakiHat]

17 minutes ago, Assimov said:

it's probably advisable to configure a DMZ for the machines running the minecraft servers so it's a seperate network and your normal local network can stay behind the firewall without open ports.

I'm sure there are people here who can give better advice on the matter.

sadly, port forwarding can be an attack vector for potential bad actors if it's not configured properly afaik.
https://superuser.com/questions/561140/how-safe-is-port-forwarding-in-general

I'll give that a read.

[ewitte]

If you know what you're doing it can be.

[Alex Atkin UK]

2 hours ago, Assimov said:

it's probably advisable to configure a DMZ for the machines running the minecraft servers so it's a seperate network and your normal local network can stay behind the firewall without open ports.

While that is the best way to secure your LAN in case your server gets compromised, its not really practical unless you're ONLY using that PC for the server and will never put it back on your main network again.  Otherwise if it is compromised, then the second you put it back on the main network it wont matter if the ports are now blocked.

Generally, unless there is a known exploit for Minecraft, its as safe as it can be given you're allowing remote connections into a PC.  You're always at the mercy of how secure the code of the server is.  That said, I've had an open Apache server on my LAN forever.

 

One way I minimise the problem is by having pfSense for my router and region blocking connections on my port forwards, as most hack attempts come from countries I would never need a remote connection from.

[The 8-Bit Time Traveller]

Asking if port forwarding is safe is akin to asking if driving a car is safe. It can be safe, but it could also be dangerous.

 

Every port that you open to the public becomes a potential attack vector. Minecraft is generally considered to be very safe, but if a 0 day exploit exists for it, you are at risk.

 

When you open a port to the public it is advisable to have some further security isolating the exposed device from the rest of your network to avoid potential attackers from being able to move laterally inside your network and potential harm your valuable systems. DMZ (Demilitarized zone) provides some of this security, and should be sufficient to keep you safe.

 

All of this being said, the most likely way that attackers get into private networks are, in no particular order:

1. Phishing - Usually via email, attackers get you to open a malicious file (see recent LTT videos)

2. Security flaw in router firmware - Most consumer brand routers rarely, if ever, see any updates.

3. Malicious insider - This could be a disgruntled employee, or a AZTEC kid in your house trying to get his fix on whatever the latest incarnation of LimeWire is.

4. Pirate software / media - Many sites that host pirate warez are hotbeds for malicious payloads.

 

In all, it is not too hard to stay safe, if you want to be very secure, many home routers now support wireguard, so you can set up a site-to-site VPN for you and your buddies, thereby avoiding port-forwarding altogether