This is a guide for a secure installation of Mosquitto MQTT broker on Raspberry Pi 4 running Ubuntu Server 21.10.
This guide is written for installation on Raspberry Pi however setup would be nearly identical on a VPS.
Mosquitto is an open source MQTT message broker. The MQTT protocol provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for Internet of Things messaging such as with low power sensors.
1. Install Ubuntu Server 21.10.
2. Install Mosquito broker and clients
The installation assumes user has root access
- Switch to root environment
- Update Ubuntu’s package list
- Install broker and clients
apt-get install mosquitto mosquitto-clients
3. Configure MQTT Passwords
Configure Mosquitto to use passwords instead of annonymous login.
The following example will create two accounts. Make sure to use your own unique user/passwords.
- Friends User:
- User: friends
- Password: friends_password
- MQTT Explorer User
- User: mqtt_explorer
- Password: mqtt_explorer_password
- Create Password file with initial user account. Replace friends with your username.
mosquitto_passwd -c /etc/mosquitto/passwd friends
- Open up new configuration file for Mosquitto and tell it to use this password file to require logins for all connections
Paste in the following and then close file
- Create user account for MQTT explorer tool (use your own password)
mosquitto_passwd -b /etc/mosquitto/passwd mqtt_explorer mqtt_explorer_password
Note: Use the following command to add additional user accounts
mosquitto_passwd -b /etc/mosquitto/passwd user password
4. Configure listener
- Open configuration file
- Paste this line at the bottom of the file to configure the port and then close file
- Open MQTT port on firewall
ufw allow 1883
- Restart Mosquitto
service mosquitto stop
service mosquitto start
- Check to make sure service started
service mosquitto status
5. Configure ACL(access control list)
If you do not configure access control then all users will have full read/write access to all topics.
- Open Mosquitto configuration file
- Add the following to the file and close it.
- Create and open access control list file
- Modify the following example to configure desired access control for each user.
#give full read access to $SYS topic. pattern read $SYS/# #give **friends** /read/write access to **friendstopic** topic user friends topic friendstopic/# #give **mqtt_explorer** read access to all topics. user mqtt_explorer topic read #
6. Reboot and Check that Broker is running
SSH with user account and check service status
sudo service mosquitto status