Every time I see a client open ssh or rdp to the world when the servers sit behind a vpn, I die a little inside.

As a non network person, I'm unable to understand this. Could you please explain?

@tacticalKimchi
You build a bunker inside a mountain with hidden tunnels leading in. These are your primary entrance, and are pretty secure.

The client wanders in and thinks all of this is too much work, so they install a typical front door with a lighted house number beside it for all the world to see. Would-be burglars begin picking the lock almost immediately. You hope the client used a high quality lock. (They did not.)

@Root Aah! Correct me if I'm wrong:

1. Since the server is behind a vpn so secure access is through the vpn itself (mountain with secret entrances)

2. Client exposes the default ports pertaining to ssh/rdp. (The typical front door.)

3. How does the rest of the world see this? Does exposing the ports make server advertise it's open for receiving connections? Port scans?

4. Client is not using a proper password /sha auth mechanism to secure the ssh/rdp, so the outside world can begin their possible bruteforce / guess attacks.

@tacticalKimchi
Yep! 😊

Well-configured server (mountain bunker) that you connect to via VPN (secure tunnels).

Client exposes typical connection services like ssh, rdp to the outside world (typical front door) on default ports and/or without port knocking (lighted house number), allowing automated attackers to see the port if they portscan/etc. You hope the client used a strong password, but they didn't (cheap lock) because they're a client, thus making brute force / dictionary attacks (lock picking) possible -- and almost guaranteed. Because attacks are predominately automated, this begins almost immediately.

That mountain bunker is now as difficult to breach as a typical house.

Your best bet in such a scenario is installing fail2ban, etc. (automated defenses) if you can't remove the exposed services outright (e.g. seal entrances with concrete). Installing monitoring software (intrusion alarms) is a good idea, too.