Opening database access directly over the internet is not recommended for security reasons. Instead, we can use SSH tunneling to securely connect to various databases such as MySQL, MariaDB, PostgreSQL, MongoDB, and Redis.
This guide will show you how to create a dedicated SSH user that authenticates only with an RSA key and use it for secure database access.
Why Use SSH for Database Access?
Many administrators expose database ports (such as 3306 for MySQL/MariaDB, 5432 for PostgreSQL, 27017 for MongoDB, and 6379 for Redis) for remote access. This is risky because:
- Databases can be targeted by brute-force attacks
- Connections are not encrypted by default
- Exploits can be used to gain unauthorized access
A safer approach is to:
- Disable direct database access from external networks
- Use SSH tunneling for secure connections
- Enforce RSA key authentication to prevent brute-force attacks
1. Creating an SSH User Without a Password
The first step is to create a new user without a password:
0 1 2 |
sudo adduser --disabled-password --gecos "" exampleuser |
Next, restrict shell access to prevent interactive logins:
0 1 2 |
sudo usermod -s /usr/sbin/nologin exampleuser |
This ensures the user is only used for SSH tunneling, not general logins.
2. Setting Up SSH Key Authentication
To allow only RSA key authentication, add your public key to the new user’s authorized keys file.
Prepare the .ssh Directory and Permissions
Since the user has no shell access, use sudo
to manually create the SSH directory:
0 1 2 3 |
sudo mkdir -p /home/exampleuser/.ssh sudo chmod 700 /home/exampleuser/.ssh |
Create the authorized_keys
file and add the RSA public key:
0 1 2 |
echo "ssh-rsa AAAAB3...your-public-key... user@machine" | sudo tee /home/exampleuser/.ssh/authorized_keys > /dev/null |
Set the correct permissions:
0 1 2 |
sudo chmod 600 /home/exampleuser/.ssh/authorized_keys |
Ensure the user owns these files:
0 1 2 |
sudo chown -R exampleuser:exampleuser /home/exampleuser/.ssh |
3. Securing SSH Configuration
To ensure that only exampleuser
can log in via SSH using an RSA key, edit the SSH configuration file:
0 1 2 |
sudo nano /etc/ssh/sshd_config |
Modify or add the following lines:
0 1 2 3 4 |
PermitRootLogin no PasswordAuthentication no AllowUsers exampleuser |
Restart SSH to apply the changes:
0 1 2 |
sudo systemctl restart ssh |
Now, SSH access is only possible using RSA key authentication.
4. Setting Up SSH Tunnel for Database Access
Now we can use exampleuser
to create an SSH tunnel for secure database access.
Ensure Databases Only Accept Local Connections
Edit the configuration file for your database:
MySQL/MariaDB
0 1 2 |
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf |
Locate the following line:
0 1 2 |
bind-address = 127.0.0.1 |
If it’s set to 0.0.0.0
, change it to 127.0.0.1
and restart the database:
0 1 2 |
sudo systemctl restart mysql |
PostgreSQL
0 1 2 |
sudo nano /etc/postgresql/15/main/postgresql.conf |
Modify:
0 1 2 |
listen_addresses = 'localhost' |
Restart PostgreSQL:
0 1 2 |
sudo systemctl restart postgresql |
MongoDB
0 1 2 |
sudo nano /etc/mongod.conf |
Ensure:
0 1 2 |
bindIp: 127.0.0.1 |
Restart MongoDB:
0 1 2 |
sudo systemctl restart mongod |
Redis
0 1 2 |
sudo nano /etc/redis/redis.conf |
Set:
0 1 2 |
bind 127.0.0.1 |
Restart Redis:
0 1 2 |
sudo systemctl restart redis-server |
Creating an SSH Tunnel from Your Local Machine
Run this command from your local machine to establish the tunnel:
For MySQL/MariaDB (Port 3306)
0 1 2 |
ssh -i ~/.ssh/id_rsa -N -L 3307:127.0.0.1:3306 exampleuser@your-server-ip |
For PostgreSQL (Port 5432)
0 1 2 |
ssh -i ~/.ssh/id_rsa -N -L 5433:127.0.0.1:5432 exampleuser@your-server-ip |
For MongoDB (Port 27017)
0 1 2 |
ssh -i ~/.ssh/id_rsa -N -L 27018:127.0.0.1:27017 exampleuser@your-server-ip |
For Redis (Port 6379)
0 1 2 |
ssh -i ~/.ssh/id_rsa -N -L 6380:127.0.0.1:6379 exampleuser@your-server-ip |
Connecting to Databases via SSH Tunnel
Now, you can connect to the databases securely:
MySQL/MariaDB
0 1 2 |
mysql -h 127.0.0.1 -P 3307 -u your_db_user -p |
PostgreSQL
0 1 2 |
psql -h 127.0.0.1 -p 5433 -U your_db_user -d your_database |
MongoDB
0 1 2 |
mongo --host 127.0.0.1 --port 27018 |
Redis
0 1 2 |
redis-cli -h 127.0.0.1 -p 6380 |
Conclusion
Using SSH tunneling for database access is a simple yet effective way to enhance security. This method: ✅ Prevents direct database exposure to the internet ✅ Encrypts all database traffic through SSH ✅ Ensures only authorized users with RSA keys can connect
This approach is ideal for anyone looking to secure their databases without setting up complex VPNs or firewall rules.
Does this method help? Share your thoughts or questions on diditho.com! 🚀