This should be normally turned off by default I believe, but that is definitely one of those that can be easily missed.
I run numerous services from my domain, so I have port forwarding on for a lot of ports. If you have something answering on the other end, it’s not so bad, but if you just have ports wide open with nothing there, it’s an avenue into your network.
Unfortunately mine was a SQL port which was used to attempt a back door brute force attack on a voice server, but I use 160 - 220 bit randomly-generated passwords saved to a key database on an encrypted thumb drive, so the chances of them actually doing any damage was pretty small; and I caught the attempt through DDoS logging on my router.