Secure MQTT Broker hosting on AWS

Internet of things is all about mobility and managing your things from anywhere and everywhere. Hosting a secure MQTT Broker / IOT Platform on the cloud is a mandate to 100% mobility. But people are very much paranoid about the security. This article provides a complete end to end guide for hosting the secure MQTT Broker on AWS.

Create an AWS Account

Create a FREE AWS account which you can use for a year. You can check the details of the FREE tier here. The AWS account provides a single CPU with a 1 GB of RAM, 5 GB of storage space and more. This is a very good configuration to run the MQTT Broker on the VM

Preparing EC2

Create an EC2 instance and If you are particular about the FREE usage, make sure you choose the allowed VM type. For the operating System, choose an Ubuntu 14.04 or 16.04 instance.

Create a SSH Key Pair for using for connecting to the EC2 instance via SFTP and SSH. If you already have an SSH key you can use the same. The key will be in the name of Yourname.pem

The VM provided will be a plain vanilla version of the Ubuntu. You can connect to the EC2 instance via SSH. Update the Ubuntu for any patches and install zip utility.

$ sudo apt-get update
$ sudo apt-get install zip unzip

Setup MySQL

The MQTT Broker uses MySQL to store the connected clients, their subscriptions and the message transactions. Install the MySQL using the following commands.These commands will ask for your root password and also make your MySQL instance secured in the EC2 Instance. Remember the mysql password which you need to configure inside the MQTT Broker conf files.

$ sudo apt-get install mysql-server
$ sudo mysql_secure_installation
$ sudo mysql_install_db

Make sure the MySQL is set to run in the localhost (127.0.0.1). Check the /etc/mysql/my.cnf

bind-address = 127.0.0.1

The Ubuntu is now ready to run the broker.

Setting up secure MQTT Broker

Download the FREE MQTT Broker from the Bevywise Networks download page. You can copy the files to the EC2 instance using SFTP using tools like FileZilla. The same SSH key pair can be used for the authentication purpose. Let us get started with installing the MQTT Broker in the EC2 Instance.

Unzip the MQTT Broker and move to the product home folder.

$ unzip Bevywise_MQTT_Route_Linux.zip
$ cd Bevywise/MQTTRoute/

Configure MySQL parameters inside the conf/db.conf.

Change the default db from SQLITE to MYSQL and update the MySQL password which you provided during the installation of MySQL.

DB_SERVER = MYSQL
MYSQL_USER = root
MYSQL_PASSWORD=<<mysql_password>>

Securing Client Connections

The communication between the clients and the server should be secured by enabling the TLS mode and setting up passwords logging in. You can use a single password for all the clients or individual passwords for each client.

Open the conf/broker.conf and update the TLS_ENABLED as TRUE. All other values can be changed if needed. Using a non regular port number for Broker and secure web socket will further enhance the security against DDOS.

TLS_ENABLED = TRUE
TLS_PORT_NO = 8883
WSS_PORT_NO = 8000

Create strong set of username and passwords which can be used when the clients connect to the MQTT Broker. You can add your list of credentials inside Certificate/Authentication/ folder.

The username and password must be
<username><<Tab>><Password>
operation_mgr_usr erSez!@421sedPas
external_dev_user aszWxDes@!*&Rs4

Enable authentication in the conf/broker.conf. If you wish to use a different file for the username and password list, you can change the path of the credentials file.

[AUTHENTICATION]
AUTHENTICATION_ENABLED = YES
# YES || NO
PASSWD_FILE = ./Certificate/Authentication/credentials.txt

Start the MQTT Broker in the background to make sure the broker is running continuously.

$ cd ./bin
$ nohup sh runbroker.sh &

The MQTT Broker will start on the TCP port 1883, Web Socket port 8000, and HTTP port 8080.

Securing User Interface with Apache

The apache server will be set as front end for the User interface and the request will be routed to the port 8080 of the MQTT Broker using the virtual host configuration of the apache. The basic authentication of the apache will be enabled for the securing the User Interface.

Install the apache server.

$ sudo apt-get install apache2
$ sudo apt-get install apache2-utils

The Username and the passwords need to be added to the apache for enabling the basic authentication. To add the user name, run the following command. This will ask for the password and confirmation and it will be added to the .htpasswd file.

$ sudo htpasswd -c /etc/apache2/.htpasswd <<User_name>>

Confirm the user addition by using the following command

$ cat /etc/apache2/.htpasswd
sammy:$apr1$DeD6bRwI$sCkKfg7Ly/nkXPiXG.PUP0

You need to restart the apache server for the authentication to be enabled. Let us do the proxying to the port 8080 before restarting the server.

Enabling the Proxy modules of the apache.

$ sudo a2enmod proxy
$ sudo a2enmod proxy_http

For reverse proxy, we need to add the following into the /etc/apache2/sites-enabled/000-default.conf.

ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
<Location “/”>
AuthType Basic
AuthName “Restricted Content”
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>

Restart the apache server for the above changes to take effect.

$ sudo service apache2 restart

Configuring AWS Firewall

The AWS firewall can be configured using the Network & Security → Security Group option inside the AWS Console. You have to enable inbound connection to only 4 ports, Apache — 80 , Web socket — 8443 , TLS TCP — 8883 & SSH — 22 . If you are planning to connect devices only from your internal network, you can use the option of My IP for the Source to make sure AWS restricts all the other IPs from sending data to this particular port making it more secure.

Mobile Application

We do have a mobile application which can be used to send and receive MQTT Messages to and from the different devices. We are yet to host them on the App Store and play store. But we can send you the same.

If you are using a FREE version of the MQTTRoute, you will be able to connect up to 25 clients to the broker. You are using a completely FREE MQTT Server on the cloud with all the basic needs.

The MQTTRoute is available for more devices at a very affordable price.

If you are looking to connect millions of devices, you should try the highly scalable distributed micro services based IOT Platform which is being integrated into powerful data visualisation. The Platform can be extended and customised based on the vertical and its objectives.

Enable your devices for a powerful M2M communication by setting up a FREE private cloud based secure MQTT Broker. We would be happy to hear your success stories on the setup process.

If you need any assistance on enabling IoT into your current process, we could help you get it done using our platform and the smart SDK. Feel free to keep us posted via contact us from.

Originally published at www.bevywise.com on August 23, 2017.