Skip to content

Securing & Hardening your Telegram Bot

SirDagen edited this page May 8, 2019 · 8 revisions

There are a few important things you need to take into account when setting up your own Telegram Bot.

This short guide aims to help you understand how you can make your Telegram Bot more secure.

Keep your API key/token private

When creating your bot, BotFather gives you a token similar to this: 123456789:AAG90e14-0f8-40183D-18491dDE

We call this the API key, as it is used to identify your bot and allow access to the Telegram API.

Keep this private! Whoever has this key is able to command your bot!

Hardening set.php, unset.php and hook.php

If you followed the readme to set up your bot, you will have come across these 3 files that are available in the example-bot repository. These are the most important files, as they control the access to your bot.

  • set.php registers the link to your hook.php, so that Telegram knows where to send the updates.
  • unset.php unsets this link, allowing you to reset it to a different path if you like.
  • hook.php is where all the updates from Telegram get sent to.

These files need to be publicly accessible for you to be able to use them.

Here a few tips on keeping them safe:

Change the filenames to make them more difficult to guess.

⛔️ https://mybot.net/hook.php

https://mybot.net/somewhere/else/ieXu3iakooy7aoh1oophojoo2woraiNu.php

You can call the files whatever you like! As you don't need to access them that much at all, make it nice and complicated.

Add a secret parameter to your files.

⛔️ https://mybot.net/hook.php

https://mybot.net/hook.php?secret=AihezooSahc0aiquu3aigai2Phee2ien

Then, inside your hook.php you could have something like this at the beginning:

if (!isset($_GET['secret']) || $_GET['secret'] !== 'AihezooSahc0aiquu3aigai2Phee2ien') {
    die("I'm safe =)");
}

Remember to add this parameter to the set.php file where you set the webhook URL!

Use Telegram Bot Manager

You can also use the Telegram Bot Manager which does the heavy lifting for you and makes the whole bot setup a lot easier.

Limit access to Telegram API IPs

Fortunately, Telegram lets us know from which IPs they are sending updates.

So we can simply restrict all access, allowing only those IPs.

In your code using PHP

At the top of your hook.php:

// Set the ranges of valid Telegram IPs.
// https://core.telegram.org/bots/webhooks#the-short-version
$telegram_ip_ranges = [
    ['lower' => '149.154.160.0', 'upper' => '149.154.175.255'], // literally 149.154.160.0/20
    ['lower' => '91.108.4.0',    'upper' => '91.108.7.255'],    // literally 91.108.4.0/22
];

$ip_dec = (float) sprintf("%u", ip2long($_SERVER['REMOTE_ADDR']));
$ok=false;

foreach ($telegram_ip_ranges as $telegram_ip_range) if (!$ok) {
    // Make sure the IP is valid.
    $lower_dec = (float) sprintf("%u", ip2long($telegram_ip_range['lower']));
    $upper_dec = (float) sprintf("%u", ip2long($telegram_ip_range['upper']));
    if ($ip_dec >= $lower_dec & $ip_dec <= $upper_dec) $ok=true;
}
if (!$ok) die("Hmm, I don't trust you...");

Server-side using Apache

<Directory /mybot>
    Order Allow,Deny
    Allow from 149.154.160.0/20
    Allow from 91.108.4.0/22
</Directory>

read more

Server-side using Nginx

location /mybot {
    allow 149.154.160.0/20;
    allow 91.108.4.0/22;
    deny all;
}

read more

Server-side using a Firewall

Anything else?

If you think there are other ways too, just add them to this wiki entry! 😊