Opening database access directly over the internet is not recommended for security reasons. Instead, we can use SSH tunneling to securely connect to various databases such as MySQL, MariaDB, PostgreSQL, MongoDB, and Redis.

This guide will show you how to create a dedicated SSH user that authenticates only with an RSA key and use it for secure database access.

Why Use SSH for Database Access?

Many administrators expose database ports (such as 3306 for MySQL/MariaDB, 5432 for PostgreSQL, 27017 for MongoDB, and 6379 for Redis) for remote access. This is risky because:

  • Databases can be targeted by brute-force attacks
  • Connections are not encrypted by default
  • Exploits can be used to gain unauthorized access

A safer approach is to:

  1. Disable direct database access from external networks
  2. Use SSH tunneling for secure connections
  3. Enforce RSA key authentication to prevent brute-force attacks

1. Creating an SSH User Without a Password

The first step is to create a new user without a password:

Next, restrict shell access to prevent interactive logins:

This ensures the user is only used for SSH tunneling, not general logins.

2. Setting Up SSH Key Authentication

To allow only RSA key authentication, add your public key to the new user’s authorized keys file.

Prepare the .ssh Directory and Permissions

Since the user has no shell access, use sudo to manually create the SSH directory:

Create the authorized_keys file and add the RSA public key:

Set the correct permissions:

Ensure the user owns these files:

3. Securing SSH Configuration

To ensure that only exampleuser can log in via SSH using an RSA key, edit the SSH configuration file:

Modify or add the following lines:

Restart SSH to apply the changes:

Now, SSH access is only possible using RSA key authentication.

4. Setting Up SSH Tunnel for Database Access

Now we can use exampleuser to create an SSH tunnel for secure database access.

Ensure Databases Only Accept Local Connections

Edit the configuration file for your database:

MySQL/MariaDB

Locate the following line:

If it’s set to 0.0.0.0, change it to 127.0.0.1 and restart the database:

PostgreSQL

Modify:

Restart PostgreSQL:

MongoDB

Ensure:

Restart MongoDB:

Redis

Set:

Restart Redis:

Creating an SSH Tunnel from Your Local Machine

Run this command from your local machine to establish the tunnel:

For MySQL/MariaDB (Port 3306)

For PostgreSQL (Port 5432)

For MongoDB (Port 27017)

For Redis (Port 6379)

Connecting to Databases via SSH Tunnel

Now, you can connect to the databases securely:

MySQL/MariaDB

PostgreSQL

MongoDB

Redis

Conclusion

Using SSH tunneling for database access is a simple yet effective way to enhance security. This method: ✅ Prevents direct database exposure to the internetEncrypts all database traffic through SSHEnsures only authorized users with RSA keys can connect

This approach is ideal for anyone looking to secure their databases without setting up complex VPNs or firewall rules.

Does this method help? Share your thoughts or questions on diditho.com! 🚀

Leave A Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.