When connecting to a database, you must take extra precautions if it’s not running locally. Any connections made over a network should be secure, and you should never leave the database open for anyone to brute-force a connection.
The Best Solution: Run Your DB In a Private Subnet
Connecting over the internet is risky. You should never just leave your database open to the web, as it’s simply just increasing your attack surface for no reason. With proper passwords set up, it’s not going to allow anyone to hack you instantly, but it’s usually not necessary to have a database be publicly accessible.
With that being said, it’s often beneficial architecturally to have databases run on separate servers. Separating your database from your web servers allows you to manage it individually. If you wanted to scale your web servers up, or add read replicas for the database, it’s easier to do if it’s separate.
Running it on a different machine means you’ll be running it over some kind network. The best practice for this is to run the database in a private subnet. Most cloud providers, like AWS, offer the ability to make certain servers private, so that there is no public IP. You can then set the database to listen on the private IP address.
This way, connections made to the database only happen within your VPC, or virtual private cloud. The user is connecting to your public web server, which talks to the database for the user without them having to even know the address of the database server.
This configuration is pretty easy to setup. Most cloud providers will have controls for making private subnets, but if you just want to handle it yourself, you can achieve the same effect with a firewall that only allows connections from private addresses:
This will block every request to your server that comes from a public IP, effectively shutting out the outside world from accessing the server, though you’ll probably want to keep SSH open in some fashion for administrative purposes.
For Long-Distance Administration, Whitelist IPs
If you want to access the database from your own machine, you must connect over the internet. The simplest solution to doing this securely is to just whitelist the IP of the machine you’re using for administration. This doesn’t replace having a password, but it’s much better than letting anyone guess at it.
In ufw, the default firewall in Ubuntu, this can be done quite easily:
You’ll want to make sure you don’t have any other rules allowing access to that port from any IP.
If you don’t want any traffic going over the internet, the problem becomes a bit more complicated. You’ll have to set up a VPN server, like OpenVPN, that runs in your network and provides managed access to the machines in private subnets. You can connect to the VPN and have your machine act like it is in the same VPC as the database, which will give you the ability to connect to it directly over a secure connection. Doing it this way allows the database server to be entirely locked down in your own network, which is a huge bonus for security.