Mosquitto Broker - external visible with no login/pass

I would like to have access to my mqtt from external network. I test it and it looks like all mqtt topics are visible without any login/pass … It is a bug ? It is the way to block it (anonymous connection) ?

How are you accessing the broker exactly?

I opened 1883 port at my router, and I tested it with MQTT explorer (using mobile connection).

Topics are visible but not at each attempt anonymous connections. Sometimes it is showing after couple attempts.

So you have exposed an unencrypted broker with no authentication to the internet?

2 Likes

I thought that mqtt by default has authentication by login/pass.
I made additional accounts in mqtt configuration so I have 2 my accounts and HA default accounts and it works fine…

Why it is possible to connect as anonymous ? If I put wrong login/pass connection is refused by server and diconnected. Something is not OK.

How did you installed your broker?
If on your own, no authentication is the default, so blame yourself for misconfiguring it / not reading the doc :wink:

It is standard Mosquitto broker 6.0.1 from HA addon …

I cannot find anything in docs how to disable anonymous login. I just saw than from 6.0.0 version this option is removed “Support for anonymous logins has been removed”, so for me if it is removed it should be disable by default…

1 Like

It’s been removed from the addon, but afaict, not from mosquitto itself, and I don’t see “allow_anonymous false” defined anywhere in the addon, so maybe an actual issue…

You can use an ACL (access control list).

There’s still the matter of sending the data unencrypted over the internet.

That is why I’m little bit suprised :smiley:

I saw this option, but how describe empty/blind/anonymous user ? Blank command won’t work, it makes no sense …

It is not needed to encrypt data, it’s just sensors data from esp32 …

Orly?

This is a talk at a hacker conference specifically about attacking exposed unencrypted mqtt brokers.

Yes, I understand risk of having external open mqtt. That’s why I made this post.

Could You prompt how to make it more safe than standard HA solution offer ?

I wanted to have esp32 collecting some data, that will be connected to external wifi.

I found that it is known problem …