Securing the API endpoint

Post Reply
silentdiver
Posts: 16
Joined: Sat Jan 04, 2025 1:53 pm

Hi all, I have a VPS that I'll be using from remote clients via the BetAngel API, so will be opening up a port for that purpose.

I'll not use the default port number as a basic precaution but since the API is essentially open to anyone who knows/guesses/spams the IP and port I'd like to do something about that.

I could use a simple IP whitelist but could be a a bit of pain to maintain, so was thinking of possibly using token exchange using IPSec (which I've not set up before), and wondered if anyone out there was doing similar or if there's a simpler/more cunning approach that doesn't involve me updating a list of trusted IPs from time to time.

Cheers,

Chris
LinusP
Posts: 1898
Joined: Mon Jul 02, 2012 10:45 pm

Keep it simple and just whitelist, anything else will be considerably more work.
User avatar
napshnap
Posts: 1206
Joined: Thu Jan 12, 2017 6:21 am

silentdiver wrote:
Wed Jan 08, 2025 1:22 am
...
I could use a simple IP whitelist but could be a a bit of pain to maintain
...
Bf doesn't change it often, according to my logs last time was 25.08.2023.
Hope they'll keep it that way.
foxwood
Posts: 412
Joined: Mon Jul 23, 2012 2:54 pm

To lock it down tightly, your permitted remotes need to be static IP's or via VPN - IPSec is easy to set up with rtfm and lets you lock traffic to IP's+port.

Hackers run 24/7 and try all the permutations - usually in short sessions these days to avoid their IP being blocked.

You can also use something like IP2Location to block obvious foreign actors but less use nowadays with cheap international location options for attackers.

Keep detailed notes of your settings - don't want to reinvent the wheel if have to do a recovery or future migration to new server(s)
silentdiver
Posts: 16
Joined: Sat Jan 04, 2025 1:53 pm

LinusP wrote:
Wed Jan 08, 2025 11:03 am
Keep it simple and just whitelist, anything else will be considerably more work.
Thanks, yeah, that's what I've done for now, getting my head round IPSec didn't look like much fun at all !
silentdiver
Posts: 16
Joined: Sat Jan 04, 2025 1:53 pm

napshnap wrote:
Thu Jan 09, 2025 8:09 am
Bf doesn't change it often, according to my logs last time was 25.08.2023.
Hope they'll keep it that way.
Thanks, though it's the IPs of the client machines that I'm whitelisting, they change every now and then when a router restarts (we get a lot of little power cuts over here), but I've gone for the whitelisting anyway for simplicity and so I don't have to try to understand the fairly technically horrific looking alternatives !
silentdiver
Posts: 16
Joined: Sat Jan 04, 2025 1:53 pm

foxwood wrote:
Thu Jan 09, 2025 10:31 am
To lock it down tightly, your permitted remotes need to be static IP's or via VPN - IPSec is easy to set up with rtfm and lets you lock traffic to IP's+port.
Thanks for the advice, it did look a bit horrid from a first attempt at rtfm-ing, so I chickened out and went for whitelisting.

In the end even if the bad guys hit my host IP they have to spoof one of a very small set of source IPs so I'm pretty happy with that.
Post Reply

Return to “Betfair Exchange API”