← All Tips/VPC
VPC

Isolate Your Database

Publicly reachable databases (port 3306/5432) are magnets for brute force. Keep them in a private subnet.

The Publicly Exposed Database Problem

Shodan, the search engine for internet-connected devices, indexes millions of exposed databases every day. MySQL on port 3306, PostgreSQL on 5432, MongoDB on 27017, Redis on 6379 — all visible to anyone who searches.

Automated bots scan the entire IPv4 address space continuously. Within minutes of a database becoming internet-accessible, it will see brute-force attempts. Default credentials (root/root, admin/admin, blank passwords) are tried first. Then common passwords. It's relentless and automated.

What Happens When They Get In

  • Data theft: Customer PII, payment records, credentials — exfiltrated immediately
  • Ransomware: Data is encrypted and a ransom note is left (MongoDB attacks in particular)
  • Backdoor creation: New admin accounts created for persistent access
  • Supply chain pivoting: Your database becomes the jump point to attack your customers

The Right Architecture: Private Subnets

Your database should never have a public IP. The only things that should connect to it are your application servers, and only from inside your private network.

Basic architecture:

Internet → Load Balancer → App Servers (public subnet)
                                    ↓
                           Database (private subnet, NO internet route)

On cloud providers:

  • AWS: Put your RDS in a private VPC subnet with no internet gateway
  • GCP: Use Private IP for Cloud SQL
  • Hetzner/DigitalOcean: Use their private networking feature, bind DB to private interface only

If You Must Access Remotely

Use a bastion host (jump box) or VPN:

# SSH tunnel to reach private database
ssh -L 5432:db.internal:5432 user@bastion.yourdomain.com
# Now connect to localhost:5432 locally

Quick Wins Right Now

  1. Check if your database port is exposed: nmap -p 3306,5432,27017,6379 your-server-ip
  2. If yes, add a firewall rule blocking those ports from the public internet immediately
  3. Bind your database to listen only on localhost or private network IP, not 0.0.0.0
  4. Change default credentials immediately if they're still set

Databases in private subnets, behind firewalls, with strong credentials and minimal access — that's the baseline.

Get your site properly hardened.

The Voice of Cash delivers professional security audits and hands-on implementation.

Speak to a Specialist →
← Previous
Use Cloudflare Proxies
Next →
SIM Swap Protection