Even if your home’s automation is separated from any other network and not internet accessible, it’s always a good practice to use encryption. Failing to encrypt the connection to HomeAssistant’s web interface using an SSL/TLS certificate, results in leaving your password and other data traveling the network as plaintext susceptible to eavesdropping.
If you happen to read the previous post, this one is an extension to the BYOPM device for enabling 2FA on the VaultWarden instance using a Solokey. Two Factor Authentication (2FA) is implemented to better protect both a user’s credentials and the resources the user can access.
BYOPM is a portable Password Manager implementation based on VaultWarden, an unofficial implementation of BitWarden and a Raspberry PI Zero. It’s a self hosted solution, with full functionality, which is activated by just plugging the device on your computer. Bitwarden’s Official browser addons and extensions are also supported, and the device has been tested both on Windows (10 and 11) and Linux (Debian Based).
The SOCKS protocol is being used to exchange packets between a server and a client through a Proxy server. Expanding the Remote Drone’s abilities, we can configure the "Middle Host" to act as a PROXY Server and redirect all of our requests to the "Remote Drone". With this configuration, all the traffic will be transferred through the "Remote Drone" and we will be able to access the remote network, or even the Internet through the remote’s Network ISP Modem.
Reverse SSH Tunneling is the connection from the destination to the source instead of the default procedure which is the connection from the source to the destination. We can use this method to establish a connection to a remote network without knowing it’s external IP or making any changes to the network’s configuration. Unless a firewall restricts SSH traffic, the following guide using a Raspberry PI and an ENC28J60 module should be enough to establish a connection to the remote network by plugging the device to the remote network through ethernet.
One of the most effortless way for an intruder to gain access to a system is "Password Guessing". As we can read from the NIST Special Publication 800-118:
Guessing attacks can be mitigated rather easily by using a combination of two methods. First, ensure that
passwords are sufficiently complex so that attackers cannot readily guess them. It is particularly important
to change all default OS and application passwords; lists of default accounts and passwords are widely
available to attackers.
For the Raspbian (official Raspberry PI OS), the default credentials (username: pi, password: raspberry) are the same since the launch of the first device in February of 2012 so if you plan to use a Raspberry PI for any of your projects, the first thing to do is change those credentials. For increased security is even better if you completely remove or disable the default pi user.