Mosquitto Broker - external visible with no login/pass

Terrorr · January 3, 2022, 11:19am

I would like to have access to my mqtt from external network. I test it and it looks like all mqtt topics are visible without any login/pass … It is a bug ? It is the way to block it (anonymous connection) ?

tom_l · January 3, 2022, 11:22am

How are you accessing the broker exactly?

Terrorr · January 3, 2022, 11:29am

I opened 1883 port at my router, and I tested it with MQTT explorer (using mobile connection).

Topics are visible but not at each attempt anonymous connections. Sometimes it is showing after couple attempts.

tom_l · January 3, 2022, 12:24pm

So you have exposed an unencrypted broker with no authentication to the internet?

Terrorr · January 3, 2022, 1:05pm

I thought that mqtt by default has authentication by login/pass.
I made additional accounts in mqtt configuration so I have 2 my accounts and HA default accounts and it works fine…

Why it is possible to connect as anonymous ? If I put wrong login/pass connection is refused by server and diconnected. Something is not OK.

koying · January 3, 2022, 1:33pm

How did you installed your broker?
If on your own, no authentication is the default, so blame yourself for misconfiguring it / not reading the doc

Terrorr · January 3, 2022, 1:35pm

It is standard Mosquitto broker 6.0.1 from HA addon …

I cannot find anything in docs how to disable anonymous login. I just saw than from 6.0.0 version this option is removed “Support for anonymous logins has been removed”, so for me if it is removed it should be disable by default…

koying · January 3, 2022, 1:52pm

It’s been removed from the addon, but afaict, not from mosquitto itself, and I don’t see “allow_anonymous false” defined anywhere in the addon, so maybe an actual issue…

tom_l · January 3, 2022, 2:18pm

You can use an ACL (access control list).

There’s still the matter of sending the data unencrypted over the internet.

Terrorr · January 3, 2022, 2:50pm

That is why I’m little bit suprised

Terrorr · January 3, 2022, 2:54pm

I saw this option, but how describe empty/blind/anonymous user ? Blank command won’t work, it makes no sense …

It is not needed to encrypt data, it’s just sensors data from esp32 …

tom_l · January 3, 2022, 10:38pm

Orly?

This is a talk at a hacker conference specifically about attacking exposed unencrypted mqtt brokers.

Terrorr · January 4, 2022, 8:51am

Yes, I understand risk of having external open mqtt. That’s why I made this post.

Could You prompt how to make it more safe than standard HA solution offer ?

I wanted to have esp32 collecting some data, that will be connected to external wifi.

Terrorr · January 4, 2022, 11:27am

I found that it is known problem …

github.com/home-assistant/addons

Mosquitto broker allows connections from devices without credentials

opened 08:32PM - 26 Jun 21 UTC

closed 02:19AM - 23 Oct 21 UTC

Heisenberg2980

add-on: mosquitto stale

## The problem  Mosquitto broker allows connections from devices without credentials even the anonymous option is set to false in the settings. ## Environment  - Add-on with the issue: Mosquitto broker - Add-on release with the issue: 6.0.1 - Last working add-on release (if known): - Operating environment (OS/Supervised): Hassio core-2021.6.6 ## Problem-relevant configuration  ```yaml logins: - username: ************* password: ************* customize: active: true folder: mosquitto certfile: fullchain.pem keyfile: privkey.pem require_certificate: false anonymous: false ``` ## Traceback/Error logs  The log shows the connection is accepted even no user is provided ```txt 2021-06-26T19:17:51: New client connected from 192.168.0.41 as ***name removed*** (p2, c1, k10). ``` ## Additional information