This is a guide for a secure installation of Mosquitto MQTT broker on Raspberry Pi 4 running Ubuntu Server 21.10.
This guide is written for installation on Raspberry Pi however setup would be nearly identical on a VPS.
Mosquitto is an open source MQTT message broker. The MQTT protocol provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for Internet of Things messaging such as with low power sensors.
1. Install Ubuntu Server 21.10.
See this guide for a secure basic installation of Ubuntu 21.10.
2. Install Mosquito broker and clients
The installation assumes user has root access
- Switch to root environment
- Update Ubuntu’s package list
- Install broker and clients
apt-get install mosquitto mosquitto-clients
3. Configure MQTT Passwords
Configure Mosquitto to use passwords instead of annonymous login.
The following example will create two accounts. Make sure to use your own unique user/passwords.
- Friends User:
- User: friends
- Password: friends_password
- MQTT Explorer User
- User: mqtt_explorer
- Password: mqtt_explorer_password
- Create Password file with initial user account. Replace friends with your username.
mosquitto_passwd -c /etc/mosquitto/passwd friends
- Open up new configuration file for Mosquitto and tell it to use this password file to require logins for all connections
Paste in the following and then close file
- Create user account for MQTT explorer tool (use your own password)
mosquitto_passwd -b /etc/mosquitto/passwd mqtt_explorer mqtt_explorer_password
Note: Use the following command to add additional user accounts
mosquitto_passwd -b /etc/mosquitto/passwd user password
4. Configure listener
- Open configuration file
- Paste this line at the bottom of the file to configure the port and then close file
- Open MQTT port on firewall
ufw allow 1883
- Restart Mosquitto
service mosquitto stop
service mosquitto start
- Check to make sure service started
service mosquitto status
5. Configure ACL(access control list)
If you do not configure access control then all users will have full read/write access to all topics.
- Open Mosquitto configuration file
- Add the following to the file and close it.
- Create and open access control list file
- Modify the following example to configure desired access control for each user.
#give full read access to $SYS topic. pattern read $SYS/# #give **friends** /read/write access to **friendstopic** topic user friends topic friendstopic/# #give **mqtt_explorer** read access to all topics. user mqtt_explorer topic read #
6. Reboot and Check that Broker is running
SSH with user account and check service status
sudo service mosquitto status