Hi all, I have a VPS that I'll be using from remote clients via the BetAngel API, so will be opening up a port for that purpose.
I'll not use the default port number as a basic precaution but since the API is essentially open to anyone who knows/guesses/spams the IP and port I'd like to do something about that.
I could use a simple IP whitelist but could be a a bit of pain to maintain, so was thinking of possibly using token exchange using IPSec (which I've not set up before), and wondered if anyone out there was doing similar or if there's a simpler/more cunning approach that doesn't involve me updating a list of trusted IPs from time to time.
Cheers,
Chris
Securing the API endpoint
Bf doesn't change it often, according to my logs last time was 25.08.2023.silentdiver wrote: ↑Wed Jan 08, 2025 1:22 am...
I could use a simple IP whitelist but could be a a bit of pain to maintain
...
Hope they'll keep it that way.
To lock it down tightly, your permitted remotes need to be static IP's or via VPN - IPSec is easy to set up with rtfm and lets you lock traffic to IP's+port.
Hackers run 24/7 and try all the permutations - usually in short sessions these days to avoid their IP being blocked.
You can also use something like IP2Location to block obvious foreign actors but less use nowadays with cheap international location options for attackers.
Keep detailed notes of your settings - don't want to reinvent the wheel if have to do a recovery or future migration to new server(s)
Hackers run 24/7 and try all the permutations - usually in short sessions these days to avoid their IP being blocked.
You can also use something like IP2Location to block obvious foreign actors but less use nowadays with cheap international location options for attackers.
Keep detailed notes of your settings - don't want to reinvent the wheel if have to do a recovery or future migration to new server(s)
-
- Posts: 16
- Joined: Sat Jan 04, 2025 1:53 pm
-
- Posts: 16
- Joined: Sat Jan 04, 2025 1:53 pm
Thanks, though it's the IPs of the client machines that I'm whitelisting, they change every now and then when a router restarts (we get a lot of little power cuts over here), but I've gone for the whitelisting anyway for simplicity and so I don't have to try to understand the fairly technically horrific looking alternatives !
-
- Posts: 16
- Joined: Sat Jan 04, 2025 1:53 pm
Thanks for the advice, it did look a bit horrid from a first attempt at rtfm-ing, so I chickened out and went for whitelisting.
In the end even if the bad guys hit my host IP they have to spoof one of a very small set of source IPs so I'm pretty happy with that.