Support Online
MirrorLooking Glass
GenixNodeGenixNode
Client Panel
Skip to main content

Turning on MySQL Remote Access Securely (2025)

What will you learn in this guide?

In this guide, you will learn how to open remote access to MySQL database securely.
IP restriction, firewall, SSL/TLS and Zero Trust approach will be applied together.

Technical Summary

Main topic: MySQL remote access security
Purpose: Secure database connection from separate servers
Approach: Zero Trust + minimal authorization
Steps: Bind-address → User → Firewall → SSL → Audit

Prerequisites

  • Ubuntu 22.04 or above
  • MySQL 8.x installed
  • sudo authorized user
  • UFW active
  • Current database backup

1️⃣ Editing MySQL Listening Address

MySQL only listens to localhost by default.

sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf
  • This file contains the MySQL network configuration.

Recommended (Private Network)


bind-address = 10.0.0.5
  • This setting makes MySQL accessible only from the private network.

Mandatory Case (All Interfaces)


bind-address = 0.0.0.0

⚠️ This option should only be used with strict firewall.

  1. Restart the MySQL service.

sudo systemctl restart mysql
  • This command activates the settings.

2️⃣ Creating an IP Restricted MySQL User

  • Never open the root account remotely.

sudo mysql -u root
  • This command opens the MySQL shell.

CREATE USER 'genix_user'@'203.0.113.10' IDENTIFIED BY 'GucluSifre123!';
GRANT SELECT, INSERT, UPDATE ON veritabanim.* TO 'genix_user'@'203.0.113.10';
FLUSH PRIVILEGES;
  • This user can only connect from the specified IP.

🔐 The principle of least authority applies.

3️⃣ Firewall (UFW) Rules

  1. Do not open the MySQL port to everyone.

sudo ufw allow from 203.0.113.10 to any port 3306
  • This rule allows only trusted server.
  • Check firewall status.

sudo ufw status
  • This command lists active rules.

4️⃣ Data Encryption with SSL/TLS

Encryption is mandatory for remote connections.


require_secure_transport = ON
  • This setting blocks connection without SSL.

Restart MySQL.


sudo systemctl restart mysql
  • Force the user to SSL.

ALTER USER 'genix_user'@'203.0.113.10' REQUIRE SSL;
  • Establish a secure connection from the client.

mysql --ssl-mode=REQUIRED -u genix_user -h sunucu_ip -p
  • This connection encrypts traffic.

5️⃣ Zero Trust and AI-Assisted Audit

Due to the Zero Trust approach, no connection is secure by default.

  1. % host identification detection

  2. Open 3306 port checking

  3. Abnormal login attempts

  4. Redundancy control

Sample warning:


[ALERT] MySQL riskli yapılandırma tespit edildi
Kullanıcı: genix_user@'%'
Risk: Global erişim açık
Öneri: IP bazlı kısıtlama uygulayın
  • These audits can be done automatically with log analysis tools.

Common Errors and Solutions

  • Access denied error → User IP must match exactly.
  1. No connection → Check firewall and bind-address.

Legacy client issue → Make user compatible if necessary.


ALTER USER 'genix_user'@'203.0.113.10'
IDENTIFIED WITH mysql_native_password BY 'GucluSifre123!';

Frequently Asked Questions (FAQ)

1. Is bind-address = 0.0.0.0 safe? Acceptable if there is a firewall.

2. Can root be unlocked remotely? No, it is a serious security risk.

3. Is VPN recommended? In production, yes.

4. Is SSL required? Yes, by 2025 standards.

5. Secure MySQL Checklist

  • bind-address set to private IP

  1. IP restricted user created

  2. Firewall is only open to authorized IPs

  3. Root remotely locked

  4. SSL/TLS active

  5. Authorizations are periodically audited

Result

MySQL remote access is secure when configured correctly. IP restriction, firewall, SSL and Zero Trust should be applied together.

🚀 You can set up this architecture in minutes with isolated networks and secure databases in the GenixNode infrastructure.