How to restrict remote access in PostgreSQL

A PostgreSQL server rarely needs to be a public landmark on port 5432. Restricting remote access reduces exposure to internet scanning, brute-force attempts, and accidental “database on the public interface” moments. Keeping the listener scoped to only the interfaces that matter narrows the blast radius when credentials or rules are less-than-perfect.

Network reachability is primarily controlled by listen_addresses in postgresql.conf, which determines which IP addresses the server binds for TCP connections. When the postmaster binds only to loopback or a specific private interface, remote hosts cannot complete a TCP connection to the database port. Once a connection reaches the server, pg_hba.conf decides which clients, users, and authentication methods are permitted.

Changing listen_addresses is a postmaster setting and requires a restart, which drops active connections and aborts running transactions. Packaged installations place configuration files in different directories (for example /etc/postgresql/16/main/postgresql.conf on Debian-based systems), so querying the running server avoids editing the wrong file. Remote clients such as application servers, replicas, backups, or monitoring agents will lose connectivity unless the bind address and authentication rules are updated to match.

Related: How to configure pg_hba.conf in PostgreSQL \\
Related: How to enable SSL for PostgreSQL connections

Steps to restrict remote access in PostgreSQL:

  1. Print the active postgresql.conf path from the running server. 
    $ sudo -u postgres psql -Atc "SHOW config_file;"
/etc/postgresql/16/main/postgresql.conf
  2. Show the current listen_addresses value. 
    $ sudo -u postgres psql -Atc "SHOW listen_addresses;"
localhost
  3. Open the reported postgresql.conf file in an editor. 
    $ sudoedit /etc/postgresql/16/main/postgresql.conf

    Replace the path with the value returned by SHOW config_file.

  4. Set listen_addresses to bind only to the required interface(s). 
    listen_addresses = 'localhost'

    Use a specific private IP (for example 192.0.2.40) or a comma-separated list when remote clients are required, and avoid * unless every interface must accept connections.

    Binding to a non-existent IP address can prevent PostgreSQL from starting.

  5. Restart the PostgreSQL service to apply the change. 
    $ sudo systemctl restart postgresql

    A restart disconnects active sessions and aborts running transactions.

    Related: How to manage the PostgreSQL service with systemctl on Linux

  6. Confirm the server is listening only on the expected address and port. 
    $ sudo ss -lntp 'sport = :5432'
State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess                            
LISTEN 0      200        127.0.0.1:5432      0.0.0.0:*    users:(("postgres",pid=6199,fd=8))
LISTEN 0      200            [::1]:5432         [::]:*    users:(("postgres",pid=6199,fd=7))

    Loopback-only listeners appear as 127.0.0.1:5432 and optionally [::1]:5432 for IPv6.

  7. Use pg_hba.conf to restrict which client addresses can authenticate when TCP listening is enabled. 
    $ sudo -u postgres psql -Atc "SHOW hba_file;"
/etc/postgresql/16/main/pg_hba.conf

    Loopback-only listen_addresses blocks remote TCP connections, but permissive host entries matter again when binding to a non-loopback interface.

    Related: How to configure pg_hba.conf in PostgreSQL