-
-
Notifications
You must be signed in to change notification settings - Fork 960
Securing & Hardening your Telegram Bot
There are a few important things you need to take into account when setting up your own Telegram Bot.
This short guide aims to help you understand how you can make your Telegram Bot more secure.
When creating your bot, BotFather gives you a token similar to this: 123456789:AAG90e14-0f8-40183D-18491dDE
We call this the API key, as it is used to identify your bot and allow access to the Telegram API.
Keep this private! Whoever has this key is able to command your bot!
If you followed the readme to set up your bot, you will have come across these 3 files that are available in the example-bot
repository.
These are the most important files, as they control the access to your bot.
-
set.php
registers the link to yourhook.php
, so that Telegram knows where to send the updates. -
unset.php
unsets this link, allowing you to reset it to a different path if you like. -
hook.php
is where all the updates from Telegram get sent to.
These files need to be publicly accessible for you to be able to use them.
Here a few tips on keeping them safe:
⛔️ https://mybot.net/hook.php
✅ https://mybot.net/somewhere/else/ieXu3iakooy7aoh1oophojoo2woraiNu.php
You can call the files whatever you like! As you don't need to access them that much at all, make it nice and complicated.
⛔️ https://mybot.net/hook.php
✅ https://mybot.net/hook.php?secret=AihezooSahc0aiquu3aigai2Phee2ien
Then, inside your hook.php
you could have something like this at the beginning:
if (!isset($_GET['secret']) || $_GET['secret'] !== 'AihezooSahc0aiquu3aigai2Phee2ien') {
die("I'm safe =)");
}
Remember to add this parameter to the set.php
file where you set the webhook URL!
You can also use the Telegram Bot Manager which does the heavy lifting for you and makes the whole bot setup a lot easier.
Fortunately, Telegram lets us know from which IPs they are sending updates.
So we can simply restrict all access, allowing only those IPs.
At the top of your hook.php
:
// Set the ranges of valid Telegram IPs.
// https://core.telegram.org/bots/webhooks#the-short-version
$telegram_ip_ranges = [
['lower' => '149.154.160.0', 'upper' => '149.154.175.255'], // literally 149.154.160.0/20
['lower' => '91.108.4.0', 'upper' => '91.108.7.255'], // literally 91.108.4.0/22
];
$ip_dec = (float) sprintf("%u", ip2long($_SERVER['REMOTE_ADDR']));
$ok = false;
foreach ($telegram_ip_ranges as $telegram_ip_range) {
// Make sure the IP is valid.
$lower_dec = (float) sprintf("%u", ip2long($telegram_ip_range['lower']));
$upper_dec = (float) sprintf("%u", ip2long($telegram_ip_range['upper']));
if ($ip_dec >= $lower_dec && $upper_dec >= $ip_dec) {
$ok = true;
break;
}
}
if (!$ok) {
die("Hmm, I don't trust you...");
}
<Directory /mybot>
Order Allow,Deny
Allow from 149.154.160.0/20
Allow from 91.108.4.0/22
</Directory>
location /mybot {
allow 149.154.160.0/20;
allow 91.108.4.0/22;
deny all;
}
Server-side using a Firewall
If you think there are other ways too, just add them to this wiki entry! 😊