Ban IP
Overview
OpenAlgo includes a comprehensive security module designed to protect your trading platform from malicious traffic, bots, and unauthorized access attempts. This is especially crucial when hosting OpenAlgo on public-facing IPs or custom domains.
Why Security Matters for Algo Traders
When you host OpenAlgo on a public IP or custom domain, your trading platform becomes accessible to the internet. This exposure can attract:
Web Scrapers attempting to harvest your trading data
Bots probing for vulnerabilities
Brute Force Attacks trying to guess API keys
Automated Scanners looking for exposed endpoints
DDoS Attempts that could disrupt your trading operations
A single security breach could lead to:
Exposed trading strategies
Compromised API credentials
Disrupted trading operations during critical market hours
Unauthorized access to your portfolio data
Core Security Features
1. IP Ban System
The IP ban system automatically protects your platform by blocking malicious IPs based on suspicious behavior patterns.
How It Works
Automatic Detection: Monitors all incoming traffic for suspicious patterns
Threshold-Based Banning: Automatically bans IPs that exceed predefined thresholds
Temporary & Permanent Bans: First-time offenders get temporary bans, repeat offenders get permanently banned
Localhost Protection: Your local IP (127.0.0.1) is protected from accidental banning
Ban Types
24 Hours: Default for first offense
48 Hours: For API key abuse
1 Week: Manual option for serious violations
Permanent: After 3 offenses or manual selection
2. 404 Error Tracking
Monitors and tracks 404 (Not Found) errors to detect bots and scanners probing for vulnerabilities.
Features
Real-time Tracking: Every 404 error is logged with IP and attempted path
Auto-Ban Threshold: 20 404 errors in 24 hours triggers automatic ban
Path Analysis: View which paths attackers are attempting to access
24-Hour Window: Counter resets daily for legitimate users
Common Attack Patterns Detected
WordPress vulnerability scans (wp-admin, wp-login.php)
PHPMyAdmin probes
Configuration file searches (.env, .git, config.php)
Admin panel discovery attempts
3. Invalid API Key Monitoring
Protects against brute force attacks on your API endpoints.
Features
Attempt Tracking: Logs every invalid API key attempt
Auto-Ban Threshold: 10 invalid attempts in 24 hours triggers 48-hour ban
Hashed Storage: API keys are hashed before tracking for privacy
Integration: Works seamlessly with all OpenAlgo API endpoints
Protection Against
API key brute force attacks
Credential stuffing attempts
Automated API abuse
Unauthorized trading bot access
Security Dashboard
Access the security dashboard at /security
(available in the profile dropdown menu).
Dashboard Components
1. Statistics Overview
Total Bans: Current number of banned IPs
Permanent Bans: IPs permanently blocked
Suspicious IPs: IPs showing suspicious behavior
Near Threshold: IPs close to auto-ban threshold
2. Manual Ban Controls
IP Ban: Manually ban specific IP addresses
Host/Domain Ban: Ban all IPs from a specific host
Custom Reasons: Document why an IP was banned
Duration Options: Choose ban duration or make permanent
3. Banned IPs Table
Displays all currently banned IPs with:
IP address
Ban reason
Ban timestamp
Expiry time (or permanent status)
Ban count (repeat offenses)
Created by (system/manual)
Unban action button
4. Invalid API Key Attempts
Shows IPs attempting invalid API authentication:
IP address
Number of attempts (X/10 threshold)
First and last attempt timestamps
Hashed API keys tried
Quick ban action
5. 404 Error Tracking
Monitors IPs generating 404 errors:
IP address
Error count (X/20 threshold)
First and last error timestamps
Paths attempted
Ban and clear actions
Configuration
The security module works out-of-the-box with these default thresholds:
# 404 Error Threshold
MAX_404_ERRORS_PER_DAY = 20 # Auto-ban after 20 404s
# Invalid API Key Threshold
MAX_INVALID_API_ATTEMPTS = 10 # Auto-ban after 10 attempts
# Repeat Offender Threshold
PERMANENT_BAN_AFTER = 3 # Permanent ban after 3 offenses
These thresholds are optimized to:
Allow legitimate users some margin for error
Quickly identify and block malicious actors
Prevent false positives for normal trading operations
Usage Guide
Accessing the Security Dashboard
Log in to OpenAlgo
Click on your profile dropdown
Select "Security"
Manual IP Banning
Enter the IP address in the "Manual IP Ban" section
Provide a reason for the ban
Select duration (24 hours, 48 hours, 1 week, or permanent)
Click "Ban IP"
Banning by Host/Domain
Enter the host or domain name
Check "Permanent Ban" if needed
Click "Ban Host"
All IPs from that host will be banned
Unbanning an IP
Find the IP in the "Banned IPs" table
Click the "Unban" button
Confirm in the modal dialog
Clearing 404 Tracker
To give an IP a fresh start:
Find the IP in the "404 Tracker" table
Click "Clear"
Confirm the action
Best Practices
For Public Hosting
Regular Monitoring: Check the security dashboard weekly
Review Patterns: Look for attack patterns in attempted paths
Permanent Bans: Use for confirmed malicious sources
Documentation: Use clear ban reasons for future reference
For Development
Localhost Safety: Your local IP is protected from banning
Testing: Use external IPs or tools like ngrok for testing
Clear Trackers: Reset tracking data after testing
For Production
Enable HTTPS: Use SSL certificates for encrypted connections
Strong API Keys: Use complex, randomly generated API keys
Regular Updates: Keep OpenAlgo updated for latest security patches
Backup Strategy: Regular backups before applying bans
Security Response Workflow
When suspicious activity is detected:
Automatic Response
System tracks the activity
Thresholds are monitored
Auto-ban triggers if exceeded
Manual Review
Check security dashboard
Review attack patterns
Apply manual bans if needed
Post-Incident
Document the incident
Review if thresholds need adjustment
Consider permanent bans for serious attacks
Database Information
All security data is stored in the logs.db
database:
Table:
ip_bans
- Stores banned IP informationTable:
error_404_tracker
- Tracks 404 errorsTable:
invalid_api_key_tracker
- Monitors API key attemptsTable:
traffic_logs
- General traffic logging
No additional configuration or migration is required. The tables are created automatically on first run.
Troubleshooting
IP Not Getting Banned
Check if it's localhost (protected from banning)
Verify thresholds haven't been modified
Ensure security middleware is active
Can't Access After Ban
Access from different IP
Use database tools to remove ban
Contact system administrator
False Positives
Adjust thresholds if needed
Use manual unban for legitimate users
Consider whitelisting (future feature)
Future Enhancements
Planned security improvements:
IP Whitelist System: Allow trusted IPs to bypass security checks
Geographic Blocking: Ban entire countries or regions
Rate Limiting: Per-endpoint request limits
Two-Factor Authentication: Additional login security
Webhook Alerts: Notify on security events via Discord/Telegram
Support
For security-related issues or questions:
Check the security dashboard first
Review logs in
/logs
endpointJoin our Discord community
Report security vulnerabilities privately
Remember: Security is not a feature, it's a necessity when your money and trading strategies are at stake.
Last updated
Was this helpful?