OpenClaw Server Security & Installation

Overview

This skill guides the setup of a secure, self-hosted OpenClaw instance. It covers SSH hardening, Firewall configuration, Tailscale VPN setup, and the OpenClaw installation itself.

Workflow

Phase 1: System Hardening

Lock down SSH

Goal: Keys only, no passwords, no root login.
Action: Modify
```
/etc/ssh/sshd_config
```
.

Commands:

# Backup config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# Disable Password Auth
sudo sed -i 's/^#*PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
# Disable Root Login
sudo sed -i 's/^#*PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config
# Reload SSH
sudo sshd -t && sudo systemctl reload ssh

Default-deny Firewall

Goal: Block everything incoming by default.
Action: Install and enable UFW.

Commands:

sudo apt update && sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

Note: Ensure you have console access or a fallback before enabling if SSH is not yet allowed on another interface, though we configure Tailscale next.

Brute-force Protection

Goal: Auto-ban IPs after failed login attempts.
Action: Install Fail2ban.

Commands:

sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban

Phase 2: Network Privacy (Tailscale)

Install Tailscale

Goal: Create a private VPN mesh network.

Commands:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Wait for user to authenticate the Tailscale link.

Configure SSH & Web via Tailscale

Goal: Allow traffic only from the Tailscale subnet (100.64.0.0/10) and remove public access.

Commands:

# Allow SSH over Tailscale
sudo ufw allow from 100.64.0.0/10 to any port 22 proto tcp
# Remove public SSH access (Adjust rule name/number as needed)
sudo ufw delete allow OpenSSH || sudo ufw delete allow 22/tcp
# Allow Web ports over Tailscale
sudo ufw allow from 100.64.0.0/10 to any port 443 proto tcp
sudo ufw allow from 100.64.0.0/10 to any port 80 proto tcp

Disable IPv6 (Optional)

Goal: Reduce attack surface.

Commands:

sudo sed -i 's/IPV6=yes/IPV6=no/' /etc/default/ufw
if ! grep -q "net.ipv6.conf.all.disable_ipv6 = 1" /etc/sysctl.conf; then
  echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
fi
sudo sysctl -p && sudo ufw reload

Phase 3: OpenClaw Installation

Install OpenClaw

Commands:

npm install -g openclaw && openclaw doctor

Configure Owner Access

Required Input: Ask the user for their Telegram ID.
Action: Update the config to allowlist only that ID.

JSON Config Target (verify location via

openclaw doctor

{ 
  "dmPolicy": "allowlist", 
  "allowFrom": ["YOUR_TELEGRAM_ID"], 
  "groupPolicy": "allowlist" 
}

Secure Credentials

Goal: Restrict file permissions.

Commands:

chmod 700 ~/.openclaw/credentials 2>/dev/null || true
chmod 600 .env 2>/dev/null || true

Final Audit

Action: Run the built-in security audit.

Command:

openclaw security audit --deep

Verification Status

Run to confirm:

sudo ufw status verbose
ss -tulnp
tailscale status
openclaw doctor

openclaw-server-secure-skill

AI Skill Market Insights

Be Part of the 0+ Developer Community

OpenClaw Server Security & Installation

Overview

Workflow

Phase 1: System Hardening

Phase 2: Network Privacy (Tailscale)

Phase 3: OpenClaw Installation

Verification Status

Quick Start

Manual Installation

TEAR & SHARE

Tags

Check Security

Check Privacy

Check Aws Security

Skill Vetter

ClawDefender - OpenClaw Security - Prompt injection, rogue skills etc

Channels

Learn

Compare

Company