M7mdBookM7mdBook
← BackFeb 06, 2026
How to Allow MySQL Remote Access Securely (2025 Guide)
mysqldatabasesecurityremote-accessubuntudevops2025

How to Allow MySQL Remote Access Securely (2025 Guide)

A complete, security-focused guide to enabling MySQL remote access in 2025, covering firewall rules, least-privilege users, SSL/TLS encryption, AI-assisted auditing, and modern best practices.

Introduction

By default, MySQL only accepts local connections for security reasons. While safe, this limits scalability when applications and databases run on separate servers.

This guide explains how to enable MySQL remote access securely, configure firewalls, grant least-privilege access, enable SSL/TLS, and apply modern (2025) security practices including AI-driven auditing.

Key Takeaways

  • Edit mysqld.cnf and configure bind-address correctly
  • Never expose MySQL globally without firewall restrictions
  • Use host-specific MySQL users (avoid user@'%')
  • Enforce least privilege and disable remote root access
  • Enable SSL/TLS for all remote connections
  • Use AI-driven monitoring and audits to detect misconfigurations

Prerequisites

  • MySQL 8.0 or newer installed
  • Root or sudo privileges on the database server
  • Firewall management knowledge (ufw, iptables, or cloud firewalls)
  • (Recommended) AI-based monitoring and auditing tools
  • (Strongly advised) SSL/TLS or VPN-based secure connectivity
  • Verified backups and recovery plan

Step 1 — Configure MySQL for Remote Connections

Edit MySQL configuration:

sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

Change bind address:

Recommended (private network):

bind-address = 10.0.0.5

Alternative (strict firewall required):

bind-address = 0.0.0.0

Restart MySQL:

sudo systemctl restart mysql

Optional hardening:

skip_name_resolve = ON
local_infile = OFF

Step 2 — Create a Remote MySQL User

Access MySQL:

sudo mysql -u root -p

Create a host-restricted user:

CREATE USER 'appuser'@'203.0.113.10' IDENTIFIED BY 'StrongPassword!';
GRANT SELECT, INSERT, UPDATE, DELETE ON mydb.* TO 'appuser'@'203.0.113.10';
FLUSH PRIVILEGES;

MySQL 8 authentication note: caching_sha2_password is preferred. Use mysql_native_password only for legacy clients.

Step 3 — Secure Firewall Configuration

Allow MySQL access only from trusted IPs:

sudo ufw allow from 203.0.113.10 to any port 3306

Avoid unrestricted rules like:

sudo ufw allow 3306

Cloud firewalls (AWS, DigitalOcean, GCP) should also restrict TCP 3306 to known IPs or private networks.

Step 4 — Test Remote Access

From a remote client:

mysql -u appuser -h your_server_ip -p

Verify MySQL is listening:

sudo ss -ltnp | grep 3306

For higher security, use SSH tunneling instead of exposing port 3306 publicly.

Step 5 — Enable SSL/TLS Encryption

Enforce encrypted connections:

require_secure_transport = ON

Restart MySQL:

sudo systemctl restart mysql

Require SSL per user:

ALTER USER 'appuser'@'203.0.113.10' REQUIRE SSL;

Client connection:

mysql --ssl-mode=REQUIRED -u appuser -h your_server_ip -p

AI-Assisted Security Auditing (2025)

  • Detect overly permissive users (user@'%')
  • Alert if port 3306 is globally exposed
  • Analyze logs for brute-force or anomaly patterns
  • Block insecure deployments in CI/CD pipelines

Sample alert:

[ALERT] MySQL remote access misconfiguration detected
User: appuser@'%'
Risk: Global access enabled

Server Hardening Recommendations

  • Disable anonymous users
  • Lock remote root login
  • Enforce strong passwords
  • Encrypt backups at rest
  • Monitor MySQL error logs
DELETE FROM mysql.user WHERE User = '';
ALTER USER 'root'@'%' ACCOUNT LOCK;
FLUSH PRIVILEGES;

Conclusion

Secure MySQL remote access requires a layered approach: strict bind-address configuration, firewall whitelisting, least-privilege users, SSL/TLS encryption, and continuous monitoring.

By combining traditional security controls with AI-driven auditing, you can safely run MySQL in distributed and production environments in 2025.

Related posts ↓
Showing related posts by tag: mysql