Some services run really good behind a reverse proxy on 443, but some others can really become an hassle… And sometimes just opening other ports would be easier than to try configuring everything to work through 443.
An example that comes to my mind is SSH, yeah you can use SSLH to forward requests coming from 443 to 22, but it’s so much easier to just leave 22 open…
Now, for SSH, if you have certificate authentication or a strong password, I think you can feel quite safe, but what about other random ports? What risks I’m exposing my server to if I open some of them when needed for a service? Is the effort of trying to pass everything through 443/80 worth it?
Exposing SSH is not recommended, it’s a hot attack target. Expose a VPN and use that to SSH in.
Or use port-knocking for SSH.
While this helps getting volume down it just adds a layer of obscurity and the service behind should still be treated and maintained as if it was fully public-facing.
I think people get too defensive about security by obscurity not being security. It’s still better for things to be obscure, it’s just not sufficient. A hidden lock to open a door is marginally better than a lock on the door. A hidden button to open a door isn’t secure though, of course.
But at the same time, I fully understand why it’s stressed so much. People tend to make analogies in their mind to the physical world. The digital world is so different though. An example I use often is you can’t jiggle every doorknob in the world to see if it’s unlocked, but it’s (relatively) easy to check every IPv4 address for an open port to some database with default credentials.
Security through obscurity is hammered into newbies as being bad because it’s often a “quicker and easier” solution and we don’t want anyone thinking they could just do that and be done with it.
You have to learn the proper way to do it; obscurity only buys you time. Maybe.