When connecting to a database, you must take extra precautions if it is not running locally. All connections made over a network must be secure and you should never leave the database open for anyone to brute-force a connection.
The best solution: Run your DB in a private subnet
Connecting via the internet is risky. You should never just leave your database open on the web, as it simply increases your attack space for no reason. With the right password configured, it will not let anyone hack you right away, but it is usually not necessary for a database to be publicly available.
With that said, it is often advantageous architecturally to have databases running on separate servers. Separating your database from your web servers allows you to manage it individually. If you wanted to scale up your web servers or add read replicas for the database, it̵7;s easier to do if it’s separate.
Running it on another machine means that you are running it over a kind of network. The best practice for this is to run the database in one private subnet. Most cloud providers, such as AWS, offer the ability to make certain servers private, so that there is no public IP. You can then set the database to listen to the private IP address.
In this way, connections to the database only take place within your VPC or virtual private clouds. The user connects to your public web server, which talks to the user’s database without them even having to know the address of the database server.
This configuration is quite easy to install. Most cloud providers have controls for creating private subnets, but if you just want to manage it yourself, you can achieve the same effect with a firewall that only allows connections from private addresses:
sudo ufw allow from 172.16.0.0/12 to any port 22
This will block any requests to your server that come from a public IP, and effectively block the outside world from accessing the server, but you will probably keep SSH open in some way for administrative purposes.
For long distance IP addresses
If you want to access the database from your own machine, you must connect via the Internet. The simplest solution to make this secure is to just whitelist the IP of the machine you are using for administration. This does not replace having a password, but it is much better than letting someone guess it.
ufw, the default wall in Ubuntu, this can be done quite easily:
sudo ufw allow from 188.8.131.52 to any port 27017
You want to make sure you have no other rules that allow access to that port from any IP.
If you do not want any traffic to go over the internet, the problem becomes a little more complicated. You need to set up a VPN server, such as OpenVPN, that runs on your network and provides managed access to the machines in private subnets. You can connect to the VPN and let your machine act as if it were in the same VPC as the database, giving you the ability to connect to it directly via a secure connection. If you do it this way, the database server can be completely locked in your own network, which is a huge bonus for security.