Terrorr
(Terrorr)
January 3, 2022, 11:19am
1
I would like to have access to my mqtt from external network. I test it and it looks like all mqtt topics are visible without any login/pass … It is a bug ? It is the way to block it (anonymous connection) ?
tom_l
January 3, 2022, 11:22am
2
How are you accessing the broker exactly?
Terrorr
(Terrorr)
January 3, 2022, 11:29am
3
I opened 1883 port at my router, and I tested it with MQTT explorer (using mobile connection).
Topics are visible but not at each attempt anonymous connections. Sometimes it is showing after couple attempts.
tom_l
January 3, 2022, 12:24pm
4
So you have exposed an unencrypted broker with no authentication to the internet?
3 Likes
Terrorr
(Terrorr)
January 3, 2022, 1:05pm
5
I thought that mqtt by default has authentication by login/pass.
I made additional accounts in mqtt configuration so I have 2 my accounts and HA default accounts and it works fine…
Why it is possible to connect as anonymous ? If I put wrong login/pass connection is refused by server and diconnected. Something is not OK.
koying
(Chris B)
January 3, 2022, 1:33pm
6
How did you installed your broker?
If on your own, no authentication is the default, so blame yourself for misconfiguring it / not reading the doc
Terrorr
(Terrorr)
January 3, 2022, 1:35pm
7
It is standard Mosquitto broker 6.0.1 from HA addon …
I cannot find anything in docs how to disable anonymous login. I just saw than from 6.0.0 version this option is removed “Support for anonymous logins has been removed”, so for me if it is removed it should be disable by default…
1 Like
koying
(Chris B)
January 3, 2022, 1:52pm
8
It’s been removed from the addon, but afaict, not from mosquitto itself, and I don’t see “allow_anonymous false” defined anywhere in the addon, so maybe an actual issue…
tom_l
January 3, 2022, 2:18pm
9
You can use an ACL (access control list).
There’s still the matter of sending the data unencrypted over the internet.
Terrorr
(Terrorr)
January 3, 2022, 2:50pm
10
That is why I’m little bit suprised
Terrorr
(Terrorr)
January 3, 2022, 2:54pm
11
I saw this option, but how describe empty/blind/anonymous user ? Blank command won’t work, it makes no sense …
It is not needed to encrypt data, it’s just sensors data from esp32 …
tom_l
January 3, 2022, 10:38pm
12
Orly?
This is a talk at a hacker conference specifically about attacking exposed unencrypted mqtt brokers.
Terrorr
(Terrorr)
January 4, 2022, 8:51am
13
Yes, I understand risk of having external open mqtt. That’s why I made this post.
Could You prompt how to make it more safe than standard HA solution offer ?
I wanted to have esp32 collecting some data, that will be connected to external wifi.
Terrorr
(Terrorr)
January 4, 2022, 11:27am
14
I found that it is known problem …
opened 08:32PM - 26 Jun 21 UTC
closed 02:19AM - 23 Oct 21 UTC
add-on: mosquitto
stale
<!-- READ THIS FIRST:
- If you need additional help with this template, pleas… e refer to https://www.home-assistant.io/help/reporting_issues/
- Make sure you are running the latest version of the add-on before reporting an issue
- Provide as many details as possible. Paste logs, configuration samples and code into the backticks.
DO NOT DELETE ANY TEXT from this template! Otherwise, your issue may be closed without comment.
- This is the issue tracker for add-ons, feature request for new or existing add-ons should be opened on the forum https://community.home-assistant.io/c/feature-requests
-->
## The problem
<!--
Describe the issue you are experiencing here to communicate to the
maintainers. Tell us what you were trying to do and what happened.
-->
Mosquitto broker allows connections from devices without credentials even the anonymous option is set to false in the settings.
## Environment
<!--
Provide details about the versions you are using, which helps us to reproduce
and find the issue quicker.
-->
- Add-on with the issue: Mosquitto broker
- Add-on release with the issue: 6.0.1
- Last working add-on release (if known):
- Operating environment (OS/Supervised): Hassio core-2021.6.6
## Problem-relevant configuration
<!--
An example configuration that caused the problem for you. Fill this out even
if it seems unimportant to you. Please be sure to remove personal information
like passwords, private URLs and other credentials.
-->
```yaml
logins:
- username: *************
password: *************
customize:
active: true
folder: mosquitto
certfile: fullchain.pem
keyfile: privkey.pem
require_certificate: false
anonymous: false
```
## Traceback/Error logs
<!--
If you come across any trace or error logs, please provide them.
-->
The log shows the connection is accepted even no user is provided
```txt
2021-06-26T19:17:51: New client connected from 192.168.0.41 as ***name removed*** (p2, c1, k10).
```
## Additional information