Does accessing a port on a remote server via ssh tunnel improve security?

Question

The idea is the following:

I have a port open (P) on a remote machine (R) with a service application running which is listening on (P). I would like to connect from a client machine to the service application on the remote machine.

Possibility 1:

I leave the port open so I can connect directly from my client via the ip and the port to the service application on the remote machine.

Possibility 2:

I restrict the service application via firewall to localhost and forward (P) with an ssh tunnel to my client machine.

My own conclusion:

If I open the port of the service application across the internet, then I have to trust that it cannot be exploited for remote code execution on (R).

If I use an ssh tunnel, then I only have to trust that the listening ssh port cannot be exploited. The number of open ports is reduced and hence the attack surface (from my point of view). I would still be vulnerable if my client machine was compromised, but I'm accepting that risk anyway when using ssh.

Question:

So my question is, is my conclusion correct? Is it more secure to use an ssh tunnel and forward a port instead of exposing that port directly?

Answer 1

Many service applications can be configured to bind only on localhost, i.e. they then listen on a port on the 127.0.0.1 loopback address. That port is simply not accessible from other networks (whether you run a firewall or not).

An ssh tunnel allows a connection provided several conditions are met, and you can configure these to your liking:

• firewall rules, for example allowed source addresses.
• Authentication, key exchange, and other crypto algorithms
• PKI security (authorized_keys, signed keys, host keys)
• allowed ssh users or groups