I set up a broker on a windows pc which is publishing messages to raspberry pis (clients). On the same windows machine I'm running a node.js Server which is also a mosquitto client which can publish messages to the broker running on the same windows machine.
I looked up (by simple googling and reading the official documentation) how I can secure the moquittoconnections. But I still ran into some issues:
How can I only allow a mosquitto broker to communicate with clients
running on the same machine? (e.g. for simply publishing sensor
values to a local frontend via websockets - which I'm already doing)
Do local (on the same machine) clients require the username and
password if specified?
Why won't this configuration not require an username and a password
when the client is connecting to the broker?
My mosquitto.conf:
allow_anonymous false
password_file C:\Program Files (x86)\mosquitto
Password file is at the specified location and valid.
mosquitto -c mosquitto.conf is not throwing any error.
Can I still use the username and password when including encryption
mosquitto-tls?
Listeners can be bound to a specific interface e.g. 127.0.0.1 which will only allow connections from the localhost.
listener 1885 127.0.0.1
If you want to restrict the whole broker to only listen for local connections use the bind_adddress config option to change the default listener to only listen on 127.0.0.1 rather than 0.0.0.0 (this address represents ALL network interfaces on the machine)
If password based authentication is configured it applies to ALL listeners so if you set up a localhost only listener you will still need to supply a username and password.
You can use TLS and username and password based authentication unless you use client side certificates and enable the use_identity_as_username and require_certificate
Related
I am attempting to get my Mqtt server to work on my network. Currently I receive the following message
Starting in local mode only. Connections will only be possible from clients running on this machine.
Based on information from Mosquitto, I need to update the /etc/mosquitto/mosquitto.conf file to allow for non-local access:
pid_file /run/mosquitto/mosquitto.pid
persistence true
persistence_location mosquitto/data
#/var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
listener 1883
allow_anonymous true
But running with this adapted .conf file it does not allow non-local access. What am I doing wrong?
In the man page of Mosquitto, you can see, that listener specifies the port and bind address/host of the mqtt broker:
listener port [bind address/host/unix socket path]
Since version 2.0, the default config will only bind to localhost.
If you run version ^2.0, you only allow for local connections because no host is set. Therefore just change the listener line to:
listener 1883 0.0.0.0
This will allow any machine to connect, you can also specify explicit ip-addresses that are allowed to connect.
I have my Kafka Server running on other system. I am trying to run the client from my local machine by giving the broker url of the machine where Kafka server is running. But unfortunately i am not able to connect to kafka server.
server.properties files has the below attributes:
group.initial.rebalance.delay.ms=0
listeners=SASL_PLAINTEXT://localhost:9093
advertised.listeners=SASL_PLAINTEXT://localhost:9093
#advertised.listeners=SASL_PLAINTEXT://10.97.123.52:9093
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
while running my client from my local machine, i am passing the broker url of the server machine, but unable to connect:( . Can anyone help in this problem?
A bit simplified, but ... the client first connects to the bootstrap server to get the metadata. A based on that metadata it will open another TCP connection to the broker which is leader for the topic/partition the clients wants to speak with.
The first connection is done based on the bootstrap server address which you set. The second connection is opened to the address from the metadata. And the metadata will in your case contain the address from the advertised.listeners field, which is localhost. So the client will try to connect to localhost:9093 and not to your broker. So you need to set the advertised.listeners to use the address under which the broker is visible for the clients. (which is maybe the line which is commented out in your config example?)
You have also the listener field set to listen on localhost only. So it will not be accessible from the external IP address. You have to change it to listen on the external IP address. Most propbably setting it to the following value (i.e. without localhost) should help:
listeners=SASL_PLAINTEXT://:9093
I have learn basic zookeeper concept and did a sample project, But I only it only local pc or one computer.
I understand the zookeeper but still confused on how the client connect to the zookeeper server if they are not in one computer? for instance, if we start a zookeeper server in my own computer, and we can use connect() like connect 2181 to connect to the zookeeper server, that make sense, since they are all in one computer have have some association in lower layer. But what if the zookeeper server and client they are separated into two computer? how can we handle that?
I'm not sure what language you're using for the client, so this will have to be a generic answer.
The client and server communicate over TCP. This requires that the client simply know the server's host and port. In general, your ZooKeeper servers bind to some private network interface. For instance, your zoo.conf configuration file might contain a line like the following:
clientPort=2181
server.1=123.456.789.1:2888:3888
The first portion of the server.1 section 123.456.789.1 is the host to which the ZooKeeper server will bind. As long as this host is not the loop back interface (i.e. localhost or 127.0.0.1) you should be able to connect to that host from another machine on the client port 2181. So, for instance, in Java I create a new ZkClient that points to that host and port:
ZkClient client = new ZkClient("123.456.789.1:2181");
Trying to set up authorization in my development cluster, I couldn't prevent users from opening a console to my mongods.
I have enabled authorization in the config file:
secutiry:
authorization: enabled
And have created an admin user with the userAdminAnyDatabase role.
Yet, when connecting unauthorized to this server from another machine, I can enter the console.
I do get permission error when trying to issue commands, but I would like to know if there's any way of preventing the console from opening - getting the permission error earlier.
If you only need to access your MongoDB deployment from applications running on the same server you can use the bind_ip configuration option to control the network interface(s) that MongoDB processes listen to. By default this should already be set to '127.0.0.1' (localhost) in packaged versions of MongoDB 2.6+.
If you want to have the server listening to a more public network interface (eg. local LAN) and want to prevent remote connections entirely, you can limit source IP access via your firewall configuration.
The Network Security Tutorials in the MongoDB manual include examples that should be useful as a starting point:
Configure Linux iptables Firewall for MongoDB
Configure Windows netsh Firewall for MongoDB
If users/applications might authenticate from those remote IPs, you can't prevent them from opening a console connection (with no permissions). This is similar to how other services (sshd, apache, etc) work with authentication: step 1 is to establish a connection and step 2 authenticates.
For more information on MongoDB best practices, please refer to the Security section in the manual.
I have chosen QuteCom SIP client for windows to chat.I have installed and configured the account with my public server. My SIP server is kamailio.The connection to the server is not established. The application is connecting to the server for a long time.
Any help is appreciated.
If looks like keep connecting, then I guess the SIP messages don't get to the server.
You can install Wireshark to monitor traffic on windows host on port 5060 (the SIP port) in order to see if SIP messages are sent to the server.
On server, you can install ngrep for the purpose of seeing if traffic from the phone comes there. The command would be like:
ngrep -d any -qt -W byline port 5060
If you don't see traffic coming to the SIP server, then might be a firewall or an ALG between the client and the server, or, a firewall even on client host or server itself.
If it is something in between (not on client host or server), then you should try to use TCP or better TLS.
Note that if you have the firewall on the server, you will see the SIP packets coming on the network, but they will be dropped by the kernel before getting to application layer. Typically on Linux you can see the firewall rules with:
iptables -L
If the SIP packets come to the server, then set debug=3 in kamailio.cfg, restart kamailio and watch the syslog file (e.g., /var/log/syslog or /var/log/messgaes) for kamailio-specific debug messages -- you should get hints of what happens during processing.