Yes but most bots are scanning for common ports. It’s far too slow to scan 65k ports on every host. Even things like shodan only scan a handful of common ports. But you can test this yourself, expose SSH on a port number in 20-40ks, I’ve seen several weeks without a single probe.
If you’ve ever done mass scanning you know that’s minutes is not going to to be a full scan and if you are trying to do 65k ports in a few minutes, your results will not be accurate.
Just waiting for everyone to come in saying you shouldn’t do this lol. Yes, changing the port is a nice little bonus. It doesn’t any extra security, but it moves you out of the way from the automated bots that scan the internet trying recent 0days. You’ll probably see a reduction of 99% traffic hitting the service and the only logs will be real people.
Not really, you can use DNS to point YouTube.com to an iP you control, but the problem is that you will get TLS issues. It won’t redirect the hostname, but just the IP address. You could use a custom CA and sign YouTube.com certificates, but you will likely still have problems if you use Chrome because they will be pinning certificates for Google services, and your mobile applications will also pin the certs so your mobile YouTube will stop working completely.
Stick your services in a DMZ. It’s easy to setup with PFSense. Don’t allow traffic from your service to anywhere that it shouldn’t go. If your API contains any vulnerabilities, they could be abused to pivot into the internal network. Now, it’s not likely, but it’s certainly possible. Especially if those APIs are from someone open source project or something, if a vuln gets discovered it’s likely to be targeted en-mass.
If you run an exit node, while it is legal, you will likely have to do deal with the police knocking at the door from time to time.
Honestly, all applications are vulnerable AF, especially the open source projects without a major team behind them. I work in a security research team and we find critical bugs like this in a weekly basis. Even in major projects which you would be scared to know about. I personally wouldn’t expose anything except SSH or a VPN, or if I have to expose a web app, it’s going inside a VLAN with very restrictive firewall rules, proper logging, and a reverse proxy enforcing authentication via an OIDC based IDP.
We generally spend a couple of days to a week before finding something critical allowing RCE.