ok iv been told its not secure to just open ports willy nilly, and instead to set up NAT. im in the configuration of the server and it seems there is already 3 subnets create, an internet gateway "attached".
route table
has two destinations
destination: (private IP)
target: local
propogated: no
status: active
destination: 0.0.0.0/0
target: (internet gateway link)
propogated: no
status: active
info from subnet:
Inbound:
Rule #: 100
Type: ALL Traffic
Protocol: ALL
Port Range / ICMP Type: ALL
Source: 0.0.0.0/0
Allow / Deny: ALLOW
Outbound:
Rule #: 100
Type: ALL Traffic
Protocol: ALL
Port Range / ICMP Type: ALL
Destination: 0.0.0.0/0
Allow / Deny: ALLOW
above settings are same for all three subnets.
no "elastic IP" set and no "peering connection" set
is there anything there that needs to be changed for the server to be properly secure or is it still not right cos the ports are open to all trafic through the subnets?
I have no idea why you would bother with NAT in the first place.
All that NAT is afaik good for is "translate" local addresses into ones that are routed on the internet. So your local computers will all have ips like 10.0.0.1 or 192.168.0.1 but they will appear on the Internet as whatever address you got from your ISP thanks to NAT.
So from previous experience with your setup you're already using NAT.
Opening ports willy nilly isn't a good idea but that isn't what you - or anyone really - are doing. Ports are opend when a programm uses them. So for example NEM will open port 7890. That's doesn't mean that that port can be used for evil though. Only a vulnerbility in the NEM software would allow that.
You can explicitly block all ports but if there is no service using those ports then it doesn't really matter all that much. Of course there can be more complicated setups and scenarios but that doesn't seem to be the case here. You can use nmap or netstat to check what ports are open on your machine if it makes you feel any better.
If your machine is only running NEM then there is nothing to worry about other than keeping the OS up-to-date.
If you're running linux you can install ufw and create some simple rules.
If you're using a vps then change the default ssh port and install fail2ban.
NAT opens one particular port(s) for one specific machine to the world with one particular Internal IP and that's what I'll do. I wouldn't open the port for other machines unnecessarily. I am paranoid about intruders. I have seen people scanning my entire ports looking for an opening and often frequently. 
NAT opens one particular port(s) for one specific machine to the world with one particular Internal IP and that's what I'll do. I wouldn't open the port for other machines unnecessarily. I am paranoid about intruders. I have seen people scanning my entire ports looking for an opening and often frequently.
@pat thanks… I don't see why anyone would try to gain access to the server anyway seeing as theres nothing to steal… This isnt settings on my own computer it's all on a server.
Rockethead it sounds like that's the way it set up?
I changed the config file for his to allow for 3 harvesters… If you guys have your clients running would you like to test it?