Android Question About security MQTT

Discussion in 'Android Questions' started by Pooya1, Jul 12, 2018 at 7:33 AM.

  1. Pooya1

    Pooya1 Active Member Licensed User

    Hi guys
    I connect to broker with one username and password that i declare in password list
    And all users subscribe to one topic
    The big problem is if hacker find this username and password,can connect to server with
    For i = 1 to 10000
    mqtt.Connect(........)
    Next
    So my server will be busy and be hack
    How do keep username and password? :(
     
  2. udg

    udg Expert Licensed User

    Hi,
    one way could be to manage each users's credential separately; I mean that each user will have his/her own credentials.
    This way you haven't to store a general user/pwd in code and even decompiling your code an attacker would find nothing to hack your broker. Each user on login will eneter his/her credentials and those cerdentials will be used for Connection to the broker.
     
  3. Pooya1

    Pooya1 Active Member Licensed User

    Thank you
    My first strategy was your solution but when user are more than 2 million so broker cannot manage it and password will be very big and heavy
    So i forced make robot in B4j and all user publish into robot and robot publish to users
    Because user are more than 2 million i cannot use your solution
    Do you have other way?
     
  4. udg

    udg Expert Licensed User

    What about an authentication DB/service on the server?
    The user authenticates to this server which returns an encrypted token containing the credentials for the connection
     
    Last edited: Jul 12, 2018 at 8:11 AM
  5. moster67

    moster67 Expert Licensed User

    There is a plugin called "mosquitto-auth-plug" which is an authentication plugin for the Mosquitto-broker working with multiple back-ends (MySQL, Redis, CDB, SQLite3). You need to compile it and set it up to work with Mosquitto but it is well worth the effort if you want more flexibility to handle users and topics in real time. I have tested it and it works well without restarting the Mosquitto-server.
    See also this thread

    I published a support library here which can help you when using said plugin with B4X.
     
    BillMeyer, Peter Simpson and udg like this.
  6. Pooya1

    Pooya1 Active Member Licensed User

    Oh your library is well
    But i couldn't compile mosquitto
    Do you have released version?
     
  7. moster67

    moster67 Expert Licensed User

    It is not possible to release a "universal" version.
    You must compile the plugin yourself against your broker since the plugin is integrated with your configuration as I explained in this thread.
     
    BillMeyer, Peter Simpson and Pooya1 like this.
  8. victormedranop

    victormedranop Active Member Licensed User

    mosquitto server has his own password for topic register.

    see mosquitto.conf

    # -----------------------------------------------------------------

    # Default authentication and topic access control

    # -----------------------------------------------------------------


    # Control access to the broker using a password file. This file can be

    # generated using the mosquitto_passwd utility. If TLS support is not compiled

    # into mosquitto (it is recommended that TLS support should be included) then

    # plain text passwords are used, in which case the file should be a text file

    # with lines in the format:

    # username:password

    # The password (and colon) may be omitted if desired, although this

    # offers very little in the way of security.

    #

    # See the TLS client require_certificate and use_identity_as_username options

    # for alternative authentication options. If an auth_plugin is used as well as

    # password_file, the auth_plugin check will be made first.

    password_file /etc/mosquitto/pwfile
     
    Pooya1 likes this.
  9. moster67

    moster67 Expert Licensed User

    Sure but if you have thousands of users, you will need to create a huge conf-file and each time you make a change to it, you need to restart the service.
    Using a database for this, you can handle users (and topics) much easier and also without stopping the service....
     
    victormedranop and Pooya1 like this.
  10. Pooya1

    Pooya1 Active Member Licensed User

    I got to your solution
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice