Security Best Practices

Keep your trading strategies safe

SSH Security

Use SSH Keys Only

Disable password authentication after setting up SSH keys:

# Edit SSH config
sudo nano /etc/ssh/sshd_config

# Set these values
PasswordAuthentication no
PubkeyAuthentication yes

# Restart SSH
sudo systemctl restart sshd

Change Default SSH Port

# Edit SSH config
sudo nano /etc/ssh/sshd_config

# Change port (choose a random port between 10000-65535)
Port 22345

# Restart SSH
sudo systemctl restart sshd

Firewall Configuration

Enable UFW firewall with minimal open ports:

# Enable firewall
sudo ufw enable

# Allow SSH (use your custom port if changed)
sudo ufw allow 22/tcp

# Allow specific outbound connections
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Check status
sudo ufw status

API Key Security

Never Hardcode Keys

# BAD - Never do this
api_key = "pk_live_abc123..."

# GOOD - Use environment variables
import os
api_key = os.environ["POLYMARKET_API_KEY"]

Secure .env Files

# Set proper permissions
chmod 600 ~/.env

# Add to .gitignore
echo ".env" >> .gitignore

Use API Key Restrictions

When possible, restrict your API keys to:

  • Specific IP addresses (your VPS IP)
  • Limited permissions (read-only if you only need market data)
  • Rate limits appropriate for your use case

System Updates

Keep your system updated:

# Update package lists
sudo apt update

# Upgrade installed packages
sudo apt upgrade -y

# Enable automatic security updates
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

Monitoring for Intrusions

# Check login attempts
sudo cat /var/log/auth.log | grep "Failed"

# View active connections
netstat -tuln

# Check running processes
ps aux | grep -v root

Backup Strategy

  • We automatically backup your VPS daily
  • Create manual snapshots before major changes
  • Keep copies of your bot code in a private Git repository
  • Store API keys in a password manager, not just on the VPS

Emergency Procedures

If you suspect your VPS has been compromised:

  1. Immediately rotate all API keys
  2. Contact our support team
  3. Review access logs for unauthorized activity
  4. Consider rebuilding from a known-good backup