Database and Backend Service Protection

1 min read Web Security Fundamentals

Database and Backend Service Protection

Web applications often connect to database servers and other backend services that should never be directly accessible from the internet. Firewall rules must ensure these services remain protected while allowing necessary communication from web servers.

For MySQL/MariaDB (port 3306), restrict access to only your web servers:

Allow TCP from web_server_ip to database_server_ip port 3306
Deny TCP from any to database_server_ip port 3306

PostgreSQL (port 5432) requires similar protection:

Allow TCP from web_server_ip to database_server_ip port 5432
Deny TCP from any to database_server_ip port 5432

Redis (port 6379) and Memcached (port 11211) are particularly sensitive as they often lack robust authentication. These services should be strictly isolated:

Allow TCP from web_server_ip to cache_server_ip port 6379
Allow TCP from web_server_ip to cache_server_ip port 11211
Deny all from any to cache_server_ip port 6379
Deny all from any to cache_server_ip port 11211