If a server only opens port 22 and 80, do we only have those two ways to hack it?

Not really. I'd say it depends on your threat model. There might be other threats that don't need to use those ports in order to compromise your server. The first example that I can think of right now is a supply-chain attack. When you update any software on your server, if the updated software has been compromised by a supply-chain attack, your server will get infected. Or if you install example-program by mistake instead of example_program (note the hyphen instead of the underscore), and example-program was malicious and had been given that name on purpose to confuse you, then your server will be compromised. I think something like this happened recently... oh, yesterday (Bitcoin stealing apps in Ruby repository). Other examples? Maybe some MITM in the outgoing connections from your server. Then let's not forget about phishing, or anything involving social engineer.

So to be precise, if you asked me "in general, can I only be hacked by a remote threat through open ports?", my answer would be no. Whether some threats are likely or not though, depends on your threat model, which in turn depends on what your server does, how you are managing it, who you are, etc.


No.

There are multiple things which can be attacked on a target computer, and a serving application (httpd or sshd for example) is just one of those things.

Remember, there is an entire network stack between the physical network port on the network card and the application handling the actual traffic (ie sshd) - in this stack there includes things like kernel functionality such as firewalls, network drivers etc all of which can be attacked separately to the handling application.

See the number of Linux kernel remote execution vulnerabilities highlighted here which require no handling application to exploit, and instead allow an attacker to execute code just by crafting a bad network packet.

Of course, its easier to attack the application rather than the kernel, because the kernel tends to be much more heavily inspected.


An attempt to list some ways to hack into a server without using http or ssh:

  1. Using a vulnerability in Management Engine
  2. Using a bug in a network board firmware or driver
  3. Using something not very secure in the virtualization platform, having a legitimate access to (or hacking into) a neighbouring virtual machine
  4. Exploiting some bug in the IP or TCP driver in the OS
  5. Making use of some network interaction where your server acts as a client (DNS queries, automatic updates, database access), spoofing or hacking into the legitimate server of these services.

Example for 4. : Long ago, there was a ping of death attack exploiting a bug in the IP layer driver, no open port needed at all.