Trying to add a bit of security to hass.io - mosquitto?

fribse · May 15, 2019, 5:35am

Now that my lock is available through HA, I really want to beef up security.
So I’ve removed the API password, I didn’t see that configured in any of my addons.
I’m now trying to figure out Mosquitto.
Looking in the docs for it, it says:

Using Mosquitto with Hass.io

Install the Mosquitto add-on with the default configuration via ‘Hass.io > ADD-ON STORE’. (Don’t forget to start the add-on & verify that ‘Start on boot’ is enabled.)

Create a new user for MQTT via the Configuration > Users (manage users) . (Note: This name cannot be “homeassistant” or “addon”)

Once back on-line, return to Configuration > Integrations and select configure next to MQTT .
  Broker: YOUR_HASSIO_IP_ADDRESS
  Port: 1883
  Username: MQTT_USERNAME
  Password: MQTT_PASSWORD
Note: .yaml modifications are not required. See testing your setup to verify the steps above.

It’s working at the moment, but I haven’t set any username and password in the mqtt config or in the HA config.
In the HA, it just reads:

mqtt:
  broker: IP
  discovery_prefix: homeassistant

So, item 3 in the list, it’s written as if is pointing to the Mosquitto config, but is it the HA config it’s supposed to go into?
What about the mosquitto config, do I need to enter something there as well?

tom_l · May 15, 2019, 6:06am

Remove that completely. It is not needed. The mqtt broker is now an integration. Restart after removing it and then go to the Configuration MENU / Integrations page to set up mqtt (step 3).

You should also read the warning on the Mosquitto docs page about setting up an ACL. This is required.

If you want it to be secure you are going to need to set up SSL in the mqtt addon config as well. I’ve never done this so can’t offer any advice here.

fribse · May 15, 2019, 7:32am

I already have mosquitto installed (and it’s working fine), I’m just trying to clean it up, so I guess I should just remove the lines from the config?

…

Ok, I’ve removed the lines from configuration, and it still works, so I guess that part is good.

fribse · May 15, 2019, 8:59am

Moving into ACL I’m a bit unsure.
I’ve created the two files, but this part:

user [YOUR_MQTT_USER]
topic #

What ‘mqtt user’ is that?

I don’t see anything in the config for mqtt, or is that just a HA user that’s dedicated to mqtt?

tom_l · May 15, 2019, 9:01am

This user from step 2 in your original post.

fribse · May 15, 2019, 9:02am

I see, but it doesn’t need the users pw?

tom_l · May 15, 2019, 9:03am

No, the authentication is taken care of by the broker. The ACl is just a list of what topics the user is allowed access to.

fribse · May 15, 2019, 9:05am

Ok, great, thankyou VERY very much Tom, it is much appreciated when the docs are a bit fluffy

fribse · May 15, 2019, 9:13am

After activating it, I see this in the logfile:

1557911492: Socket error on client <unknown>, disconnecting.
1557911492: New connection from 172.30.32.1 on port 1883.
[INFO] found homeassistant on local database
1557911492: Socket error on client <unknown>, disconnecting.
1557911492: New connection from 172.30.32.1 on port 1883.

As I don’t have 172 network locally, I guess it’s the internal container network.
I’ve disabled port 1883 in the config, but that doesn’t seem to have any impact.