I run numerous services from my domain, so I have port forwarding on for a lot of ports. If you have something answering on the other end, it’s not so bad, but if you just have ports wide open with nothing there, it’s an avenue into your network.
Unfortunately mine was a SQL port which was used to attempt a back door brute force attack on a voice server, but I use 160 - 220 bit randomly-generated passwords saved to a key database on an encrypted thumb drive, so the chances of them actually doing any damage was pretty small; and I caught the attempt through DDoS logging on my router.
You got that some’bitch locked up nice and tight, I run a web server on an obscure port for testing purposes, but pretty much everything else is plugged up like public toilet.
Good discipline on the password complexity but there are numerous ways to hack databases without a password. MySQL just announced a bug where it allowed access 1 out of every 256 attempts without verifying the password.
Failure to patch databases is the most common reason.
My suggestion is to never allow your database server to be connected directly to the internet even with a firewall.
Most people won;t have the skills, the patience or the money to do this, but the purchase of one of the smaller wireless SonicWALLs like the TZ100W with the full security suite will present more of a challenge then most casual or semi-casual hackers and script kiddies can muster.
SonicWALL treats the wireless side as an entirely different subnet, and you must set up explicit firewall rules to allow your WLAN users access. And that’s in addition to using ACLs to allow/deny users.
SonicWALL devices are also good at detecting IP spoofing and other threats. Not cheap, but easily worth the $600 - $800 you’ll spend. www.sonicguard.com is a good resource.