How To Create Secure MQTT Broker
How To Create Secure MQTT Broker
How ToIoT ProtocolsTutorials/DIY

How To Create Secure MQTT Broker

60 Comments 6 min read

Introduction

Eclipse Mosquitto is an open-source MQTT (Message Queuing Telemetry Transport) broker, licensed under EPL/EDL. It supports MQTT versions 3.1, 3.1.1, and 5.0, making it a reliable choice for IoT (Internet of Things) applications. Mosquitto is lightweight, making it suitable for everything from low-power embedded devices to high-performance servers.

This article provides an updated guide on Mosquitto, including its installation, security features, and robust deployment on AWS Ubuntu (2025 update).

1. Installing Mosquitto on AWS Ubuntu

Step 1: Update System Packages

sudo apt-get update

Step 2: Install Mosquitto Broker & Clients

sudo apt-get install mosquitto mosquitto-clients -y

Step 3: Start and Enable Mosquitto

sudo systemctl start mosquitto
sudo systemctl enable mosquitto

Step 4: Test Mosquitto Locally

Subscribe:

mosquitto_sub -h localhost -t mytopic

Publish:

mosquitto_pub -h localhost -t mytopic -m "Hello World"

2. Enabling Remote Access

By default, Mosquitto allows only local connections. To enable remote access, follow these steps:

Step 1: Open Port 1883 on AWS Security Group

  • In the AWS console, navigate to Security Groups.
  • Open port 1883 to allow MQTT connections.

Step 2: Modify Mosquitto Configuration

sudo nano /etc/mosquitto/conf.d/default.conf

Add:

listener 1883
allow_anonymous true

Save and exit.

Step 3: Restart Mosquitto

sudo systemctl restart mosquitto

Your broker is now accessible remotely on port 1883.

3. Ensuring Robust MQTT Broker Performance

To auto-restart Mosquitto in case of failure, create a monitoring script.

Step 1: Create a Restart Script

echo '#!/bin/bash
if ! pgrep -x "mosquitto" > /dev/null; then
    echo "Mosquitto not running, restarting..." >> /var/log/mosquitto.log
    systemctl restart mosquitto
fi' > /home/ubuntu/mosquitto_restart.sh

Step 2: Make It Executable

chmod +x /home/ubuntu/mosquitto_restart.sh

Step 3: Schedule with Cron

sudo crontab -e

Add this line:

*/5 * * * * /home/ubuntu/mosquitto_restart.sh

This ensures Mosquitto restarts automatically if it crashes.

4. Securing Mosquitto with SSL Encryption

We use Let’s Encrypt to secure MQTT communication.

Step 1: Install Certbot

sudo apt-get install certbot -y

Step 2: Generate SSL Certificates

Ensure you have a domain/subdomain pointing to your server.

sudo certbot certonly --standalone -d mqtt.example.com

Step 3: Modify Mosquitto Configuration

sudo nano /etc/mosquitto/conf.d/default.conf

Add:

listener 8883
certfile /etc/letsencrypt/live/mqtt.example.com/fullchain.pem
keyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem

Save and restart Mosquitto.

sudo systemctl restart mosquitto

Now MQTT secure communication (MQTTS) is enabled on port 8883.

5. Configuring WebSockets for Web Apps

For Angular, React, or JavaScript applications, enable MQTT over WebSockets.

Step 1: Modify Mosquitto Configuration

sudo nano /etc/mosquitto/conf.d/default.conf

Add:

listener 8083
protocol websockets
certfile /etc/letsencrypt/live/mqtt.example.com/cert.pem
cafile /etc/letsencrypt/live/mqtt.example.com/chain.pem
keyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem

Save and restart Mosquitto.

sudo systemctl restart mosquitto

Now, secure WebSockets (WSS) are enabled on port 8083.

6. Adding Password Protection

To secure MQTT, create a username and password.

Step 1: Create Password File

sudo mosquitto_passwd -c /etc/mosquitto/passwd user1

Enter a password when prompted.

Step 2: Modify Configuration

sudo nano /etc/mosquitto/conf.d/default.conf

Add:

allow_anonymous false
password_file /etc/mosquitto/passwd

Save and restart Mosquitto.

sudo systemctl restart mosquitto

Step 3: Use Credentials to Publish & Subscribe

Subscribe:

mosquitto_sub -h localhost -t test -u "user1" -P "password123"

Publish:

mosquitto_pub -h localhost -t "test" -m "Hello Secure MQTT" -u "user1" -P "password123"

7. Complete Mosquitto Configuration File (Reference)

allow_anonymous false
password_file /etc/mosquitto/passwd

listener 1883
listener 8883
certfile /etc/letsencrypt/live/mqtt.example.com/cert.pem
cafile /etc/letsencrypt/live/mqtt.example.com/chain.pem
keyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem

listener 8083
protocol websockets
listener 8084
protocol websockets
certfile /etc/letsencrypt/live/mqtt.example.com/cert.pem
cafile /etc/letsencrypt/live/mqtt.example.com/chain.pem
keyfile /etc/letsencrypt/live/mqtt.example.com/privkey.pem

Conclusion

Mosquitto remains a powerful, lightweight, and secure MQTT broker for IoT applications. In 2025, security, scalability, and robust monitoring are crucial for MQTT deployments.

With the above installation, security, and automation steps, you can deploy a secure and stable Mosquitto MQTT broker on AWS Ubuntu, suitable for both IoT devices and web applications.

Read This: MQTT on Mobile platforms | MQTT on Android | MQTT on iOS

Harshvardhan Mishra

Hi, I'm Harshvardhan Mishra. Tech enthusiast and IT professional with a B.Tech in IT, PG Diploma in IoT from CDAC, and 6 years of industry experience. Founder of HVM Smart Solutions, blending technology for real-world solutions. As a passionate technical author, I simplify complex concepts for diverse audiences. Let's connect and explore the tech world together! If you want to help support me on my journey, consider sharing my articles, or Buy me a Coffee! Thank you for reading my blog! Happy learning! Linkedin

You May Also Like

Raspberry Pi Headless mode Setup

Raspberry Pi Headless Setup without a Monitor or Keyboard

0
How to Scan or Read a QR Code on your Cell Phone?

How to Scan or Read a QR Code on your Cell Phone?

0
Omron FINS Protocol Basics & Benefits of Bridging to MQTT

Omron FINS Protocol Basics & Benefits of Bridging to MQTT

0

60 thoughts on “How To Create Secure MQTT Broker

Leave a Reply

Your email address will not be published. Required fields are marked *