A Secure Guide to Enabling MySQL Remote Access in 2025

How to enable remote access to MySQL/MariaDB securely?

In this updated (2025) guide, we explore practical and secure ways to enable remote access to MySQL and MariaDB servers. The goal is to provide a practical checklist for site administrators, DevOps, database teams, and developers to allow access only to authorized users and applications, without compromising security.

General steps and security principles

Summary of steps:

• Architectural design: Never Do not place the database directly on the public internet unless necessary.
• Use a private network (VPC/VLAN), VPN, or SSH tunneling.
• Restrict access based on IP addresses and create users with Minimum score.
• TLS/SSL encryption for database traffic and use of strong authentication (*caching_sha2_password* / *X.509*).
• Enable logging and rate limits, use firewalls and intrusion detection systems (IDS/IPS).
• Review performance and latency and select the appropriate data center location based on application.

Why shouldn't MySQL be exposed directly to the internet?

Databases are an attractive target for hackers, containing sensitive data and credentials. Opening port 3306 to the internet without restriction or encryption increases the risks of data leaks, brute-force, and DDoS attacks.

Step-by-Step: Configuring MySQL for Remote Access (Practical Instructions)

1) Edit the configuration file

Common configuration files:

• MySQL (Debian/Ubuntu): /etc/mysql/mysql.conf.d/mysqld.cnf
• MariaDB: /etc/mysql/mariadb.conf.d/50-server.cnf

By default, the line may bind-address To 127.0.0.1 is set. To accept connections from a specific IP or all addresses:

Recommended: Allow specific IP:

bind-address = 192.0.2.10

Not recommended except on a private network:

bind-address = 0.0.0.0

After change:

systemctl restart mysql

2) Creating a secure user with restrictions

Never from the user root Do not use for remote connections. Example commands:

mysql -u root -p
CREATE USER 'appuser'@'203.0.113.45' IDENTIFIED WITH caching_sha2_password BY 'StrongP@ssw0rd!';
GRANT SELECT, INSERT, UPDATE, DELETE ON mydb.* TO 'appuser'@'203.0.113.45';
FLUSH PRIVILEGES;

Important points:

• It is much more secure to use a specific IP address ('203.0.113.45') instead of '%'.
• Determination Minimum permissions (least privilege).
• Use private addresses for connections from within the private network (e.g. 10.xxx).

3) Enabling SSL/TLS for MySQL

Quick example of creating CA and certificates with OpenSSL:

openssl genrsa 4096 -out ca-key.pem
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca.pem -subj "/CN=MyDB-CA"

openssl genrsa 4096 -out server-key.pem
openssl req -new -key server-key.pem -out server-req.csr -subj "/CN=db.example.com"
openssl x509 -req -in server-req.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -days 3650

openssl genrsa 4096 -out client-key.pem
openssl req -new -key client-key.pem -out client-req.csr -subj "/CN=dbclient"
openssl x509 -req -in client-req.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -days 3650

Placing certificates in my.cnf:

[mysqld]
ssl-ca=/etc/mysql/ssl/ca.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem

After restart, the ability to require users to use certificates:

ALTER USER 'appuser'@'203.0.113.45' REQUIRE X509;
-- یا فقط TLS بدون client cert:
ALTER USER 'appuser'@'203.0.113.45' REQUIRE SSL;

Secure connection from the client:

mysql -u appuser -p -h db.example.com --ssl-mode=REQUIRED --ssl-ca=ca.pem

4) Using SSH Tunnel

Suitable for admins and limited access when TLS is not available. On the client machine:

ssh -fN -L 3306:127.0.0.1:3306 [email protected]

This method connects you to local port 3306, which is tunneled to the remote server.

5) Firewall settings

Example with ufw (allow only specified IP):

ufw allow from 203.0.113.45 to any port 3306 proto tcp

With firewalld:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.45" port protocol="tcp" port="3306" accept'
firewall-cmd --reload

Port check:

ss -tlnp | grep 3306
telnet db.example.com 3306

More Protection — Advanced and Recommended Solutions (2025)

Using a private network, VPC, and VPN

Instead of opening the database port to the internet, use a Private Network between the application and the database. If you use our service, you can use a private network and BGP/VRF for a secure connection.

For distributed users, VPN or IPsec is recommended so that database traffic travels only over encrypted channels.

Bastion Host and Zero Trust

Deploying a Bastion Host with two-factor authentication (MFA) and full session logging is a more secure approach than opening ports directly. The Zero Trust model means that every connection must be authenticated and only specific resources are allowed.

Authentication and algorithms

• MySQL 8: Use of caching_sha2_password Instead of mysql_native_password It is safer.
• In sensitive cases, use X.509 client certificates Recommended.
• Managing passwords with a Secret Manager or Vault (like HashiCorp Vault, AWS Secrets Manager) is better than putting passwords in files or code.

Protection against attacks and restrictions

• Keep max_connect_errors low and skip-name-resolve Enable to avoid DNS-based delays.
• Using fail2ban with a special mysql-auth filter to block malicious IPs.
• Overall connection rate limit and appropriate connection_timeout setting.

Monitoring and logging

Enabling audit logs, general logs, and slow query logs and using tools like Prometheus + Grafana or Percona Monitoring is essential to identify malicious patterns and performance issues.

Practical tips for choosing data center location and configuration based on application

Guidance based on application type:

• Trading (Forex/Crypto): The lowest RTT to the exchange/trader server is important; choosing a location close to the exchange is recommended. Our service provides this with 85+ locations.
• Gaming: Gaming databases require low ping; optimized BGP routing and low latency network are important. Gaming VPS servers and anti-DDoS servers are useful.
• AI/Rendering: For high I/O and compute loads, combining GPU and database servers in the same private network zone reduces latency.
• Websites and applications: Using a CDN and application layer cache (Redis/Memcached) along with a database in a Private Network provides the best balance of speed and cost.

Suggested my.cnf configuration examples for various uses

Configuration for a medium-load server (web/application):

[mysqld]
bind-address = 10.0.1.5
max_connections = 200
innodb_buffer_pool_size = 2G
skip-name-resolve = 1
ssl-ca=/etc/mysql/ssl/ca.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem

For high-load, dedicated AI/rending servers:

innodb_buffer_pool_size = 16G
innodb_flush_method = O_DIRECT
innodb_io_capacity = 2000

Always adjust settings based on RAM, I/O, and application needs.

Final security checklist before enabling remote access

• Using a private network or VPN for database traffic
• Restricting allowed IP addresses in the firewall
• Create users with minimal privileges and use secure hashing algorithms
• Enable TLS/SSL and, if necessary, client certificates
• Not using root for remote connections
• Enable logging; send logs to external system
• Setting connection limits and using fail2ban
• Monitoring and alerting in case of unusual traffic increases or errors
• Regular backups and recovery testing

Conclusion and final recommendation

Enabling remote access to MySQL in 2025 should be both fast and secure. Best approach: Consider a private network or VPN first, then add TLS and IP restriction, and limit access to the bare minimum.

Using Bastion Host, MFA and advanced logging will increase your security. If you need a highly stable server, low latency network and security features, our services include 85+ global locations, GPU servers, compute servers, anti-DDoS servers, trading and gaming VPS, CDN and BGP network, offering ready-made and customizable options.

Frequently Asked Questions