Opening database access directly over the internet is not recommended for security reasons. Instead, we can use SSH tunneling to securely connect to various databases such as MySQL, MariaDB, PostgreSQL, MongoDB, and Redis.

This guide will show you how to create a dedicated SSH user that authenticates only with an RSA key and use it for secure database access.

Why Use SSH for Database Access?

Many administrators expose database ports (such as 3306 for MySQL/MariaDB, 5432 for PostgreSQL, 27017 for MongoDB, and 6379 for Redis) for remote access. This is risky because:

  • Databases can be targeted by brute-force attacks
  • Connections are not encrypted by default
  • Exploits can be used to gain unauthorized access

A safer approach is to:

  1. Disable direct database access from external networks
  2. Use SSH tunneling for secure connections
  3. Enforce RSA key authentication to prevent brute-force attacks

1. Creating an SSH User Without a Password

The first step is to create a new user without a password:

sudo adduser --disabled-password --gecos "" exampleuser

Next, restrict shell access to prevent interactive logins:

sudo usermod -s /usr/sbin/nologin exampleuser

This ensures the user is only used for SSH tunneling, not general logins.

2. Setting Up SSH Key Authentication

To allow only RSA key authentication, add your public key to the new user’s authorized keys file.

Prepare the .ssh Directory and Permissions

Since the user has no shell access, use sudo to manually create the SSH directory:

sudo mkdir -p /home/exampleuser/.ssh
sudo chmod 700 /home/exampleuser/.ssh

Create the authorized_keys file and add the RSA public key:

echo "ssh-rsa AAAAB3...your-public-key... user@machine" | sudo tee /home/exampleuser/.ssh/authorized_keys > /dev/null

Set the correct permissions:

sudo chmod 600 /home/exampleuser/.ssh/authorized_keys

Ensure the user owns these files:

sudo chown -R exampleuser:exampleuser /home/exampleuser/.ssh

3. Securing SSH Configuration

To ensure that only exampleuser can log in via SSH using an RSA key, edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Modify or add the following lines:

PermitRootLogin no
PasswordAuthentication no
AllowUsers exampleuser

Restart SSH to apply the changes:

sudo systemctl restart ssh

Now, SSH access is only possible using RSA key authentication.

4. Setting Up SSH Tunnel for Database Access

Now we can use exampleuser to create an SSH tunnel for secure database access.

Ensure Databases Only Accept Local Connections

Edit the configuration file for your database:

MySQL/MariaDB

sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

Locate the following line:

bind-address = 127.0.0.1

If it’s set to 0.0.0.0, change it to 127.0.0.1 and restart the database:

sudo systemctl restart mysql

PostgreSQL

sudo nano /etc/postgresql/15/main/postgresql.conf

Modify:

listen_addresses = 'localhost'

Restart PostgreSQL:

sudo systemctl restart postgresql

MongoDB

sudo nano /etc/mongod.conf

Ensure:

bindIp: 127.0.0.1

Restart MongoDB:

sudo systemctl restart mongod

Redis

sudo nano /etc/redis/redis.conf

Set:

bind 127.0.0.1

Restart Redis:

sudo systemctl restart redis-server

Creating an SSH Tunnel from Your Local Machine

Run this command from your local machine to establish the tunnel:

For MySQL/MariaDB (Port 3306)

ssh -i ~/.ssh/id_rsa -N -L 3307:127.0.0.1:3306 exampleuser@your-server-ip

For PostgreSQL (Port 5432)

ssh -i ~/.ssh/id_rsa -N -L 5433:127.0.0.1:5432 exampleuser@your-server-ip

For MongoDB (Port 27017)

ssh -i ~/.ssh/id_rsa -N -L 27018:127.0.0.1:27017 exampleuser@your-server-ip

For Redis (Port 6379)

ssh -i ~/.ssh/id_rsa -N -L 6380:127.0.0.1:6379 exampleuser@your-server-ip

Connecting to Databases via SSH Tunnel

Now, you can connect to the databases securely:

MySQL/MariaDB

mysql -h 127.0.0.1 -P 3307 -u your_db_user -p

PostgreSQL

psql -h 127.0.0.1 -p 5433 -U your_db_user -d your_database

MongoDB

mongo --host 127.0.0.1 --port 27018

Redis

redis-cli -h 127.0.0.1 -p 6380

Conclusion

Using SSH tunneling for database access is a simple yet effective way to enhance security. This method: ✅ Prevents direct database exposure to the internetEncrypts all database traffic through SSHEnsures only authorized users with RSA keys can connect

This approach is ideal for anyone looking to secure their databases without setting up complex VPNs or firewall rules.

Does this method help? Share your thoughts or questions on diditho.com! 🚀

Related posts:

  1. How to Set Up MongoDB 8 Master-Slave on Debian 12 (Bookworm) MongoDB is a super flexible NoSQL database, and if you’re...
  2. Master-Slave PostgreSQL Replication Setup on Debian 12 PostgreSQL replication is a robust solution for ensuring database availability,...
  3. MariaDB Master Slave Installation and Configuration on Linux Debian 12 Bookworm MariaDB is an open-source relational database management system (RDBMS) that...
  4. How to Install Redis Master Slave on Debian 12 Bookworm To set up a Redis master-slave replication on Debian 12,...
  5. Mount Linode S3-compatible Object Storage on Debian 12 (Bookworm) Here’s how to mount Linode S3-compatible Object Storage on Debian...
  6. How to Create a .ppk Key from an Existing RSA OpenSSH Key Using Xshell When managing secure SSH connections, different applications often require different...
  7. How to Install MariaDB on Debian 12 Bookworm ? To install MariaDB on Debian 12, follow these steps: 1....
  8. PostgreSQL Storage Paths to Consider for Mounting on Debian 12 When setting up a PostgreSQL master-slave replication or general database...

Leave A Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.