I want to connect with my MQTT broker and get some data from Android App.
The Mqtt server has implemented with SSH layer for security reasons.
I want connect Mqtt broker over SSH tunnel. How to achieve this? IS there any opensource library?
Note : I am able to connect by putty.exe -ssh -L 1883:ipaddress:22 username#ipaddress and username and password.
If you are limited to SSH you might be able to use the one of the libraries mentioned in this answer:
https://stackoverflow.com/a/1367997/6581384
Otherwise, If your requirements are flexible, it would be easier to reconfigure the MQTT broker and client to use SSL/TLS instead.
Related
I created a reverse tcp payload for android on port 3333. and forwarded it with serveo. But the main Concern is anyone in the world can listen on this port and get the reverse connection. How can i make this connection private so only i can access it ?
Used serveo and ngrok and stuck with ngrok. I believe them when they say it's safe but I also added additional layers of security to my host machine that issues the SSH, by hardening the SSH config and opening up the minimum ports required in iptables. For example I limited inbound SSH traffic only from my local subnet. I did this because while learning about ngrok, I found on the net (forgot where) that there is a chance someone can determine the IP of the host machine.
Serveo is just using reverse proxy. He can see you from server as ssh client who allowed server to move traffic to local server.
I created my own server using nginx and Amazon ec2 instance, certbot for free ssl.
I have a client-server application for Android.
For security reasons it was decided to raise between client and server SSH tunnel to protect the information transmitted.
For SSH I used a application ConnectBot.
Is there any sense in raising SSH to sew in the app itself?
P.S. Sorry for my English.
I've a droplet on DO in which there is a MONGODB instance. I can connect through the "ssh user#ip" command in OSX using the terminal, but if i want to connect it with Meteor(local) i need to do port forwarding with "ssh -L port:localhost:portserver user#ip -f -N" and use launch Meteor with --port. To access the MONGODB i removed the password so you can access only with the ssh and enabled a firewall as suggested on the DO guide.
My question is: Is there a way to connect Meteor(local) with MONGODB without using the ssh tunneling each time? Or make it run the command before the meteor starting?This app is going to be on the phone(Android) for personal use so it won't go on production.
Second question: Is the ssh tunneling + port forwarding slower than connecting with user#password to MONGODB?
Third question: I'm going to use the ssh also for another mongoDB that will go in production, is it better to use user#password and connect using MONGO_URL var?
Thanks for the help!
There are 2 things to consider here:
- authentication
- encryption
the ssh tunnel insures encryption, while the password ensures authentication.
You can open up your DB to the world, and be protected by password, but if you don't have encryption, it's pretty much vulnerable to all sorts of network sniffing attacks (whenever on an open network or if someone is listening in the middle)
So, you would need encryption, that is SSL (TLS really, but best knowns as SSL)
You should looks at the MongoDB docs for this:
https://docs.mongodb.org/manual/tutorial/configure-ssl/
TLS can also be used for authentication, using a client certificate and a setting the server certificate to only accept those clients with a valid certificate. That's a little more complex as you'd need to configure your certification authority (OpenSSL most likely) to generate the right certs.
You can use tools like :https://github.com/cloudflare/cfssl to make your life easier in generating certs.
Hope that helps.
Can we block a device from connecting to a MQTT server?
Can we block a device from Subscribing to a topic?
Do we have any device registration on MQTT server. So that We can only allow known devices? If we have some registration mechanism, Can we do it dynamically using API?
Popular MQTT brokers like HiveMQ and mosquitto allow authentication and authorization. If you happen to use HiveMQ, there is a file authentication plugin available which allows you to restrict access to the broker via the username/password.
If you already have authentication mechanisms like an API you can call with Java (like HTTP REST APIs, SOAP Webservices, databases, ....), it's very easy to plug it into HiveMQ with the plugin system. You can see an example plugin which integrates with a database here on Github. Another plugin you could look at is the Stormpath plugin, the source code is also available on Github.
Obligatory disclaimer: I work for the company behind HiveMQ.
Some features are strictly related to the broker implementation and other depends on MQTT specification.
When a client connects to the broker, it provides a client id and (optionally) username and password. Related to the specific broker implementation, it could provide an authentication mechanism so that you can block devices from connecting based on cliend id, username and password.
With last MQTT 3.1.1 specification, in the SUBACK message you can set an error for refusing subscription. Also in this case depends on broker implementation how you can block a device from subscribing.
As you can see, MQTT specification offers you some features for authentication mechanism but this features are available or not (and in different way) based on specific broker implementation.
Paolo.
I am writing a mobile trading app (android/ios) and i need suggestions on the best way to connect the app to the server (messageQ)
If i use raw TCP connection , would my users have a problem if they are behind corporate wifi's (protected by firewalls)? If yes, in that case, is web socket a better solution?
With the backend server, after researching with zeroMq, i believe a full fledged broker like rabbitmq is a better option to start with. Now , if i use a web socket connection from my native app, Rabbit MQ has a sockJS-AMQP bridge . But i am not sure, if there is a java and iOS web socket client to speak to sockJS server .
Any experienced views is greatly appreciated
Have you considerer to use MQTT?
If you don't need AMQP you can also use directly an MQTT broker, such as http://mosquitto.org/ or http://www.hivemq.com/
Here (https://github.com/owntracks) you can find some ready libraries for iPhone and Android.
In order to solve the the firewall problem MQTT is available over HTTP.
You can read here:
http://www.hivemq.com/mqtt-over-websockets-with-hivemq/
or
here http://mqtt.org/wiki/doku.php/mqtt_over_websockets
This post can also help you : (https://www.ibm.com/developerworks/community/blogs/sowhatfordevs/entry/using_mqtt_protocol_advantages_over_http_in_mobile_application_development5?lang=en)
For a iPhone application I used directly MQTT and as server RabbitMQ with the MQTT plug-in
http://www.rabbitmq.com/mqtt.html
I hope it can be usefulĀ