Wildfire Watch ships with default security settings that prioritize ease of deployment. This means:

✅ Works out of the box - No configuration needed for testing ⚠️ Not secure by default - Must be hardened for production 🔧 Easy to secure - Simple scripts to generate custom certificates

1. Default TLS Certificates (INSECURE)

   • Located in certs/default/
   • Password for CA: wildfire (public)
   • Provides encryption but NO authentication
   • Anyone can decrypt traffic with these certs

2. Open MQTT Access

   • No authentication required
   • Any device can publish/subscribe
   • Suitable for isolated networks only

3. Automatic Service Discovery

   • mDNS/Avahi enabled
   • Services advertise on local network
   • Convenient but reveals system presence

• Replace default certificates

  ./scripts/generate_certs.sh custom

• Deploy custom certificates

  ./scripts/provision_certs.sh auto all-devices

• Restart all services

  docker-compose restart

• Enable MQTT authentication

  # Create password file
  docker exec mqtt_broker mosquitto_passwd -c /mosquitto/config/passwd admin
  
  # Update mosquitto.conf
  echo "password_file /mosquitto/config/passwd" >> mosquitto.conf
  echo "allow_anonymous false" >> mosquitto.conf

• Limit network access

  # Firewall rules (example for iptables)
  iptables -A INPUT -p tcp --dport 1883 -s 192.168.1.0/24 -j ACCEPT
  iptables -A INPUT -p tcp --dport 1883 -j DROP

• Disable unnecessary services

  # In docker-compose.yml, comment out:
  # - Avahi/mDNS if not needed
  # - WebSocket listener if not using web UI

• Network isolation

  • Place cameras on separate VLAN
  • Use firewall between camera and control networks
  • Limit outbound connections

• Certificate management

  • Store CA key offline after generating certs
  • Use unique client certificates per device
  • Implement certificate rotation schedule

• Monitoring

  • Enable MQTT logging
  • Monitor for failed authentication
  • Alert on new device connections

cd wildfire-watch
./scripts/generate_certs.sh custom

# You'll be prompted for:
# - CA password (use 20+ characters)
# - Organization details
# - Server hostnames/IPs

# After generating certificates, secure the CA key
mv certs/ca.key /secure/offline/storage/
# Only bring it back when generating new certificates

# Option A: Automated deployment
./scripts/provision_certs.sh auto mqtt-broker.local camera1.local

# Option B: Manual deployment
scp -r certs/* root@device:/mnt/data/certs/

# Create admin user
docker exec mqtt_broker mosquitto_passwd -c /mosquitto/config/passwd admin

# Create service accounts
docker exec mqtt_broker mosquitto_passwd -b /mosquitto/config/passwd camera1 camera1pass
docker exec mqtt_broker mosquitto_passwd -b /mosquitto/config/passwd frigate frigatepass

# Update configuration
# Edit mqtt_broker/mosquitto.conf:
allow_anonymous false
password_file /mosquitto/config/passwd

Create mqtt_broker/acl.conf:

# Admin can access everything
user admin
topic readwrite #

# Cameras can only publish detections
user camera1
topic write fire/detection/camera1
topic read fire/trigger

# Frigate can publish events and read config
user frigate
topic write frigate/events
topic read frigate/config/#

# Example firewall rules
# Allow MQTT only from local network
ufw allow from 192.168.1.0/24 to any port 1883
ufw allow from 192.168.1.0/24 to any port 8883

# Block everything else
ufw deny 1883
ufw deny 8883

• Use default certificates
• No authentication
• Full network access
• All services enabled

• Replace default certificates
• Consider authentication
• Limit to local network
• Disable unused services

• Custom certificates required
• Strong authentication mandatory
• Strict firewall rules
• Network isolation
• Regular security audits
• Certificate rotation
• Intrusion detection

1. Using default certs in production

   • Anyone can decrypt your traffic
   • System vulnerable to impersonation

2. Exposing MQTT to internet without auth

   • Bots scan for open MQTT brokers
   • Can be used for attacks

3. Weak passwords

   • Avoid: admin/admin, password123
   • Use: Complex 20+ character passwords

4. Not updating certificates

   • Expired certs cause outages
   • Old certs may have vulnerabilities

1. Generate unique certificates

   • Each deployment gets custom certs
   • Strong CA password

2. Use authentication + TLS

   • Defense in depth
   • Encrypted and authenticated

3. Strong unique passwords

   • Use password manager
   • Different password per service

4. Certificate rotation plan

   • Calendar reminders
   • Tested replacement procedure

# Test TLS connection
openssl s_client -connect mqtt_broker:8883 -CAfile certs/ca.crt

# Verify certificate
openssl x509 -in certs/server.crt -text -noout

# Check certificate dates
openssl x509 -in certs/server.crt -dates -noout

# Test MQTT with auth
mosquitto_pub -h mqtt_broker -p 8883 \
  --cafile certs/ca.crt \
  -u admin -P adminpass \
  -t test -m "hello"

# Check password file
docker exec mqtt_broker cat /mosquitto/config/passwd

# Fix certificate permissions
chmod 600 certs/*.key
chmod 644 certs/*.crt

# Fix directory permissions
chmod 755 /mnt/data/certs

• OpenSSL Cookbook
• Let's Encrypt (for internet-facing deployments)
• Certificate Transparency

• MQTT Security Fundamentals
• Eclipse Mosquitto Security
• OWASP IoT Security

• VLAN Setup Guide
• pfSense Firewall
• Fail2ban for intrusion prevention

If you need security assistance:

1. Check logs for certificate/auth errors
2. Test with openssl to verify TLS
3. Review firewall rules for access issues
4. Ask in discussions (don't post private keys!)
5. Consider professional audit for commercial use

Remember: Security is a process, not a destination. Start with the basics and improve over time!