Android Question About security MQTT

Pooya1

Pooya1

Active Member
Licensed User
Hi guys
I connect to broker with one username and password that i declare in password list
And all users subscribe to one topic
The big problem is if hacker find this username and password,can connect to server with
For i = 1 to 10000
mqtt.Connect(........)
Next
So my server will be busy and be hack
How do keep username and password? :(
 
Sort by date Sort by votes
udg

udg

Expert
Licensed User
Longtime User
Hi,
one way could be to manage each users's credential separately; I mean that each user will have his/her own credentials.
This way you haven't to store a general user/pwd in code and even decompiling your code an attacker would find nothing to hack your broker. Each user on login will eneter his/her credentials and those cerdentials will be used for Connection to the broker.
 
Upvote 0
Pooya1

Pooya1

Active Member
Licensed User
udg said:
Hi,
one way could be to manage each users's credential separately; I mean that each user will have his/her own credentials.
This way you haven't to store a general user/pwd in code and even decompiling your code an attacker would find nothing to hack your broker. Each user on login will eneter his/her credentials and those cerdentials will be used for Connection to the broker.
Click to expand...
Thank you
My first strategy was your solution but when user are more than 2 million so broker cannot manage it and password will be very big and heavy
So i forced make robot in B4j and all user publish into robot and robot publish to users
Because user are more than 2 million i cannot use your solution
Do you have other way?
 
Upvote 0
udg

udg

Expert
Licensed User
Longtime User
What about an authentication DB/service on the server?
The user authenticates to this server which returns an encrypted token containing the credentials for the connection
 
Last edited:
Upvote 0
moster67

moster67

Expert
Licensed User
Longtime User
There is a plugin called "mosquitto-auth-plug" which is an authentication plugin for the Mosquitto-broker working with multiple back-ends (MySQL, Redis, CDB, SQLite3). You need to compile it and set it up to work with Mosquitto but it is well worth the effort if you want more flexibility to handle users and topics in real time. I have tested it and it works well without restarting the Mosquitto-server.
See also this thread

I published a support library here which can help you when using said plugin with B4X.
 
Upvote 0
Pooya1

Pooya1

Active Member
Licensed User
moster67 said:
There is a plugin called "mosquitto-auth-plug" which is an authentication plugin for the Mosquitto-broker working with multiple back-ends (MySQL, Redis, CDB, SQLite3). You need to compile it and set it up to work with Mosquitto but it is well worth the effort if you want more flexibility to handle users and topics in real time. I have tested it and it works well without restarting the Mosquitto-server.
See also this thread

I published a support library here which can help you when using said plugin with B4X.
Click to expand...
Oh your library is well
But i couldn't compile mosquitto
Do you have released version?
 
Upvote 0
victormedranop

victormedranop

Well-Known Member
Licensed User
Longtime User
mosquitto server has his own password for topic register.

see mosquitto.conf

# -----------------------------------------------------------------

# Default authentication and topic access control

# -----------------------------------------------------------------


# Control access to the broker using a password file. This file can be

# generated using the mosquitto_passwd utility. If TLS support is not compiled

# into mosquitto (it is recommended that TLS support should be included) then

# plain text passwords are used, in which case the file should be a text file

# with lines in the format:

# username:password

# The password (and colon) may be omitted if desired, although this

# offers very little in the way of security.

#

# See the TLS client require_certificate and use_identity_as_username options

# for alternative authentication options. If an auth_plugin is used as well as

# password_file, the auth_plugin check will be made first.

password_file /etc/mosquitto/pwfile
 
Upvote 0
moster67

moster67

Expert
Licensed User
Longtime User
victormedranop said:
mosquitto server has his own password for topic register.
Click to expand...
Sure but if you have thousands of users, you will need to create a huge conf-file and each time you make a change to it, you need to restart the service.
Using a database for this, you can handle users (and topics) much easier and also without stopping the service....
 
Upvote 0
Pooya1

Pooya1

Active Member
Licensed User
moster67 said:
Sure but if you have thousands of users, you will need to create a huge conf-file and each time you make a change to it, you need to restart the service.
Using a database for this, you can handle users (and topics) much easier and also without stopping the service....
Click to expand...
I got to your solution
 
Upvote 0
You must log in or register to reply here.

Similar Threads

josejad
  • Question
Android Question MQTT Subscribe problem with reconnect sample. Null object reference
Replies
10
Views
3K
josejad
josejad
Erel
  • Article
Android Code Snippet [B4X] MQTT SSL and Self Signed Certificates
Replies
2
Views
6K
Erel
Erel
Erel
  • Locked
  • Article
Android Tutorial [B4X] MQTT - Connect & Reconnect
Replies
16
Views
16K
amorosik
amorosik
jayel
  • Question
Android Question MQTT security
Replies
6
Views
2K
Erel
Erel
Erel
  • Article
B4A Library jMQTT - Official Android MQTT client
2
Replies
33
Views
27K
Erel
Erel
Top