How to restrict remote access in PostgreSQL

A PostgreSQL listener on every network interface can turn a database meant for application hosts into a port that scanners, unmanaged clients, or mistaken firewall rules can reach. Restricting remote access starts at the listener layer, then continues in host-based authentication when a non-loopback interface still needs to serve trusted clients.

PostgreSQL uses listen_addresses in postgresql.conf to decide which TCP/IP addresses the server binds. The default value localhost accepts only loopback TCP connections, while * binds all available IPv4 and IPv6 interfaces. pg_hba.conf is the next gate after a connection reaches the server; it matches connection type, database, user, client address, and authentication method in order.

Changing listen_addresses requires a restart because it applies only when the server starts. Plan a restart window, keep a rollback path for the previous configuration, and query the running server for its config paths instead of assuming a distro layout. Remote clients such as application servers, replicas, backups, or monitoring agents will lose connectivity unless the new bind address and authentication rules still include them.

Related: How to configure pg_hba.conf in PostgreSQL \\
Related: How to enable SSL for PostgreSQL connections \\
Tool: Port Exposure Summary Checker

Steps to restrict remote access in PostgreSQL:

  1. Print the active postgresql.conf path from the running server. 
    $ sudo -u postgres psql -Atc "SHOW config_file;"
/etc/postgresql/18/main/postgresql.conf
  2. Show the current listen_addresses value. 
    $ sudo -u postgres psql -Atc "SHOW listen_addresses;"
*

    localhost means loopback-only TCP listening. * means every available IPv4 and IPv6 interface can accept connection attempts before pg_hba.conf authentication is checked.

  3. Check the current socket binding for port 5432. 
    $ sudo ss -lnt 'sport = :5432'
State  Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0      200          0.0.0.0:5432      0.0.0.0:*          
LISTEN 0      200             [::]:5432         [::]:*

    0.0.0.0:5432 and [::]:5432 show listeners on all IPv4 and IPv6 interfaces.

  4. Back up the reported postgresql.conf file. 
    $ sudo cp /etc/postgresql/18/main/postgresql.conf /etc/postgresql/18/main/postgresql.conf.before-access-change

    Replace the path with the value returned by SHOW config_file.

  5. Open the reported postgresql.conf file in an editor. 
    $ sudoedit /etc/postgresql/18/main/postgresql.conf
  6. Set listen_addresses to bind only to the required interface. 
    listen_addresses = 'localhost'

    Use a specific private IP address or a comma-separated list when trusted remote clients still need direct access, and avoid * unless every interface must accept connection attempts.

    A wrong bind address can leave PostgreSQL unreachable for clients that depend on TCP connections.

  7. Restart the PostgreSQL service to apply the change. 
    $ sudo systemctl restart postgresql

    A restart disconnects active sessions and aborts running transactions.

    Related: How to manage the PostgreSQL service with systemctl on Linux

  8. Confirm the running setting after the restart. 
    $ sudo -u postgres psql -Atc "SHOW listen_addresses;"
localhost
  9. Confirm the server is listening only on the expected address and port. 
    $ sudo ss -lnt 'sport = :5432'
State  Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0      200        127.0.0.1:5432      0.0.0.0:*          
LISTEN 0      200            [::1]:5432         [::]:*

    Loopback-only listeners appear as 127.0.0.1:5432 and, when IPv6 loopback is enabled, [::1]:5432.

  10. Print the active pg_hba.conf path before changing client authentication rules. 
    $ sudo -u postgres psql -Atc "SHOW hba_file;"
/etc/postgresql/18/main/pg_hba.conf

    Loopback-only listen_addresses blocks remote TCP connections, but permissive host entries matter again when binding to a non-loopback interface.

    Related: How to configure pg_hba.conf in PostgreSQL