If you are trying to access several different services through the internet to your home network, you are better off setting up a home VPN than trying to manage multiple public facing services. The more you publish directly to the public, the more difficult it is to keep up with everything; It is likely needlessly expanding your threat exposure. Plus you never know when a new exploit gets published against any of the services you have available.

It's not so much about the ports, its about what you're running that's accessible to the public.

If you have a single website on 443 and SSH on 22 (or a non-standard port like 6543) you're generally considered safe. This is 2 services and someone would need to attack one of the two to get in.

If you have a VPN on 4567 and everything behind the VPN then someone would need to hack the VPN to get in.

If you have 100 different things behind 443 then someone just needs to find a hole in one to get in.

Generally ssh, nginx, a VPN are all safe and they should be on their own ports.

With SSH it is easier to do key authentication. Certificate authentication is supported but it is a little more hassle. Don't use password authentication as it is deprecated and not secure.

The key with SSH (openssh specifically) is that it is heavily audited so it is unlikely to have any issues. The problem is when you start exposing self hosted services with lots of attack surface. You need to be very careful when exposing services as web services are very hard to secure and can be the source of a compromise that you may or may not be aware of.

It is much safer to use a overlay VPN or some other frontend for authentication like mTLS or an authenticated reverse proxy.

If you can disable IPv4 on sshd then it really isn't an issue. I know, security through obscurity isn't robust, but when I had sshd with IPv4 enabled, I was getting around 6 - 10 failed login attempts a minute. People iterate through all the IPv4 addresses since there are only 4,294,967,296 possible addresses. There are 340,282,366,920,938,463,463,374,607,431,768,211,456 possible IPv6 addresses, so the chance of someone randomly stumbling upon your address is fucking astronomically tiny. When I disabled IPv4 a couple years ago I've had exactly zero failed logins that weren't me being a sloppy typist.

Less danger than OPsec nerds hype up but enough of a concern you want at least a reverse proxy. The new FOSS replacement for cloudflare on the block is Anubis https://github.com/TecharoHQ/anubis, while Im not the biggest fan of seeing chibi anime funkopop girl thing wag its finger at me for a second or two as it test connection, I cannot deny the results seem effective enough that all the cool kids on the FOSS circle all are switching to it over cloudflare.

I just learned how to get my first website and domain and stuff setup locally this summer so theres some network admin stuff im still figuring out. I don't have any complex scripting or php or whatever so all the bots that try scanning for admin pages are never going to hit anything it just pollutes the logs. People are all nuts about scraping bots in current year but when I was a kid allowing your sites to be indexed and crawled was what let people discover it through engines, I don't care if botnets scan through my permissively licensed public writing.

Get a WAF. Sophos firewall is free if you want to diy. If not, use cloudflare.

Opening ports, logging, monitoring, nailing up allow listed IP addresses and dicking around with fail2ban is such a timesuck. None of that crap will stop something from exploiting a vulnerability.

Some things are worth farming out to a 3rd party. Plus, you can just point your DNS entry over and be mostly done. No more dynamic IP bs.

Move the port to a high port. Install fail2ban and set it to ban quickly. The downside of that is if you fat finger your login more than a couple of times it might ban you. I have whitelist on mine of the IP addresses I know I will be logging in from. I also run TCP wrappers which far too many people screech about it being depreciated. it works and also if set up properly logs all login attempts. I get about three or four a month on my random high port. Of course most of this depends on you trying to gain access from known addresses or subnet.

I only have the ssh login as a backup. I run wireguard with the ports set to something other than the default port. It allows me to gain access to my home network quickly. While its always possible there might be some bug that would allow someone to access it in the future it works as well as any other solution.

you can reverse proxy other ports than 443 and ex. upstream ssh, the advantage of having reverse proxy over everything is to have traffic in one place so you can manage it, that's why for example kubernetes have ingress server, example nginx / openresty upstream ssh, you can restrict traffic to limited amount of IP etc.

stream {
    upstream ssh {
        server          127.0.0.1:22;
    }

    server {
        listen          2222;
        ssl_preread     on;
        proxy_pass      ssh;
    }
}

Presuming you have not limited edge port 22 to one or two IPS and that you are not translating a high port to 22 internal, the danger is that you are allowing the entire internet to hammer away at your ssh. If you have this described setup, you will most definitely see the evidence of attempts to break in in your SSH endpoint and firewall logs.

Zero days for SSH do exist, so it's just a matter of time before you're compromised if you leave this open.

Not a sysadmin, just a casual IT.

If it is open, it is going to get hit by scanners, scrapers, everything and the sun, even if it is secure. Generally, 443 for your websites via reverse proxy with an IP whitelist + password is okay. Not special, lets you add subdomains, very convenient.

Now, there isn't anything special about any given port, but you still need to have some form of access control that you need to set up. If it is an API have some sort of API key in place. Implement 2FA. Try to isolate the service from the machine. Isolate the machine from bare metal. Keep the bare metal machine isolated from your home network. Take up farming. Change the default port and add some form of access alerts/logs. Have some sort of fail2ban service in place because you will be firehosed with scripts and bad traffic.

Maybe some of the stuff I recommend is paranoid overkill, but I don't know enough to cut corners. Security is a hassle, a breach is a nightmare.

Imagine opening all the windows in your flat. Then leaving them open for a month. What would happen? How many insects would make their new home in your home? How many critters and cats would do the same?

Now, each window is a port. Your flat is your network. Each critter or cat is a bad actor. Each insect is a bot or virus.