How to secure MQTT broker
What you will learn here about mosquitto or MQTT security
- How to secure MQTT broker
Here we will see How to secure MQTT broker on raspberry pi or Ubuntu or AWS ec2 instance 0r Google Cloud VM instance etc. Please follow the following steps to secure mosquitto or MQTT on raspberry pi or Ubuntu or AWS ec2 instance 0r Google Cloud VM instance etc.
First you need a broker. If you don’t know how to install MQTT broker then please visit following link:
Steps to install MQTT Broker on Linux
Steps to Install MQTT Broker on Raspberry Pi
Steps to Install MQTT Broker on Google Cloud
How to install mqtt broker on aws ec2 instance
Mosquitto Installation
Please follow the following steps to install mosquitto
1)Please execute the following command to update the existing packages
sudo apt-get update
2)Please execute the following command to install mosquitto
sudo apt-get install mosquitto
3)Please execute the following command to install mosquitto-clients
sudo apt-get install mosquitto-clients
Mosquitto UserName Password setup
Please follow the following steps to secure mosquitto using username and password
1)Please execute the following command to navigate in mosquitto directory
cd /etc/mosquitto/
2)Please execute the following command to generate userName and password file
sudo mosquitto_passwd -c /etc/mosquitto/passfile your-username
Please Enter new Password for authentication
3)Please execute the following command to modify mosquitto.conf
sudo nano /etc/mosquitto/mosquitto.conf
4)Add following lines in mosquitto.conf which is shown below
allow_anonymous false password_file /etc/mosquitto/passfile
Press Ctrl + X and type Y and hit enter to save the changes
5)Please execute the following command to stop the mosquitto
sudo systemctl stop mosquitto
6)Please execute the following command to start the mosquitto
sudo systemctl start mosquitto
7)Please execute the following command to check the status which is shown below
sudo systemctl status mosquitto
8)Please execute the following command to subscribe the message on topic example
where -u is username entered in step 2 and -P is password entered in step 2
mosquitto_sub -t example -h localhost -u "sample" -P "sample123"
9)Please execute the following command to publish the message on topic example
mosquitto_pub -t example -h localhost -u "EnterUserNamehere" -P "EnterPasswordhere" -m "Hello"
mosquitto SSL installation
Please follow the following steps to secure mosquitto using SSL certificate
1)Please visit the following link to install the free SSL certificate
Let’s encrypt SSL certificates
2)Assuming you have installed free ssl certificates
3)Please execute the following command to modify mosquitto.conf
sudo nano /etc/mosquitto/mosquitto.conf
4)Please add following lines in mosquitto.conf file which is shown below
Please replace example.bytesofgigabytes.com with your domain name
listener 1883 localhost listener 8883 certfile /etc/letsencrypt/live/example.bytesofgigabytes.com/cert.pem cafile /etc/letsencrypt/live/example.bytesofgigabytes.com/chain.pem keyfile /etc/letsencrypt/live/example.bytesofgigabytes.com/privkey.pem listener 8083 protocol websockets certfile /etc/letsencrypt/live/example.bytesofgigabytes.com/cert.pem cafile /etc/letsencrypt/live/example.bytesofgigabytes.com/chain.pem keyfile /etc/letsencrypt/live/example.bytesofgigabytes.com/privkey.pem
Press Ctrl + X and type Y and hit enter to save the changes
5)Please execute the following command to stop the mosquitto
sudo systemctl stop mosquitto
6)Please execute the following command to start the mosquitto
sudo systemctl start mosquitto
7)Please execute the following command to check the status which is shown below
sudo systemctl status mosquitto
8)Please execute the following command to subscribe the message on topic example
mosquitto_sub -t example -h "example.bytesofgigabytes.com" -u "sample" -P "sample123" -p 8883 --capath /etc/ssl/certs/
9)Please execute the following command to publish the message on topic example
mosquitto_pub -t example -h "example.bytesofgigabytes.com" -u "EnterUserNamehere" -P "EnterPasswordhere" -m "Hello" -p 8883 --capath /etc/ssl/certs/