nickhong
.
x
y
z
X logo
Back to Blog
securityvpsopenclawsshhardening

Securing Your VPS for OpenClaw: A Survival Guide

Basic Security Guide VPS for OpenClaw Setup

A VPS is a solid, always-on, and cost-effective way to run an OpenClaw setup. But it requires additional security steps to make sure it doesn't get taken over by random cryptominer malware.

Spin up a fresh VPS and watch your logs. The internet is a dark forest - you'll get brute force attempts at guessing your password within 5 minutes of spinning up a fresh VPS. Follow this guide to keep your OpenClaw box safe.

> Unironically we will be doing all of these steps, though there's an agent version of the guide to do it in one shot on Claude.

Want an AI-native guide? You can also give the agent walkthrough to your AI assistant and have it execute these steps for you.

Here's what you need to do to survive.

1. Create a Non-Root User Immediately

Never run operations as root. Create a dedicated user with sudo privileges:

1# Add a new user (you'll be prompted to set a password)
2adduser yourusername
3
4# Add to sudo group
5usermod -aG sudo yourusername
6
7# Switch to new user
8su - yourusername
9
10# Verify sudo works
11sudo whoami
12# Should output: root

Important: Store this password in a password manager like 1Password. You'll need it for sudo commands.

1.5. Disable Root Password (Optional but Recommended)

If you want to completely prevent root login via password (even with keys), lock the root account:

1# As root or sudo user, lock root password
2sudo passwd -l root

Note: This prevents any password-based root access. Ensure your sudo user works correctly before doing this! If you need root access later, you can use sudo -i or sudo su - from your sudo-enabled user.

2. Lock Down SSH: Custom Port + Key Auth + No Root

WARNING: The order of operations here is critical. Many people have locked themselves out by enabling the firewall before SSH is actually listening on the new port.

Default SSH on port 22 is a magnet for attacks. Move it and harden it.

Step 2.1: Configure SSH Client First (On Your Local Machine)

Before touching the server, set up your local SSH config:

1# ~/.ssh/config
2Host my-vps
3    HostName YOUR_SERVER_IP
4    Port 2222
5    User yourusername
6    IdentityFile ~/.ssh/id_ed25519
7    ServerAliveInterval 60
8    ServerAliveCountMax 3
9    IdentitiesOnly yes

Step 2.2: Install SSH Key on Server

1# On your local machine, copy your public key
2cat ~/.ssh/id_ed25519.pub
3
4# On the server, as your user
5mkdir -p ~/.ssh
6echo "your-public-key-content" >> ~/.ssh/authorized_keys
7chmod 700 ~/.ssh
8chmod 600 ~/.ssh/authorized_keys

Step 2.3: Edit SSH Config

Edit /etc/ssh/sshd_config:

1# Change default port (pick something above 1024)
2Port 2222
3
4# Disable root login
5PermitRootLogin no
6
7# Disable password authentication (use keys only)
8PasswordAuthentication no
9PubkeyAuthentication yes
10
11# Allow only your specific user
12AllowUsers yourusername

Step 2.4: CRITICAL - Restart SSH and Verify

Do NOT skip this step. Do NOT proceed to firewall until this works.

1# Restart SSH to bind to new port
2sudo systemctl restart sshd
3
4# Verify SSH is actually listening on new port
5ss -tlnp | grep 2222
6# Should show sshd listening on port 2222
7
8# Test in NEW terminal (keep current one open!)
9ssh -p 2222 yourusername@YOUR_SERVER_IP

Only proceed after you've successfully connected on the new port in a separate terminal.

3. Firewall Everything with UFW

SAFETY FIRST: Keep port 22 open initially, enable new port, test, then close port 22.

1# Enable UFW with defaults
2sudo ufw default deny incoming
3sudo ufw default allow outgoing
4
5# Allow BOTH ports during transition (safety!)
6sudo ufw allow 22/tcp      # Keep old port temporarily
7sudo ufw allow 2222/tcp    # New port
8
9# Allow other services
10sudo ufw allow 3000/tcp    # OpenClaw gateway (if exposed)
11sudo ufw allow 80/tcp      # HTTP
12sudo ufw allow 443/tcp     # HTTPS
13
14# Enable firewall
15sudo ufw enable
16
17# Verify status
18sudo ufw status

Step 3.1: Test and Remove Port 22

After confirming you can connect on port 2222:

1# Test new port works in a NEW terminal
2ssh my-vps
3
4# If successful, remove port 22 access
5sudo ufw delete allow 22/tcp
6
7# Verify only new port remains
8sudo ufw status

4. Install Fail2Ban for Automated Defense

Fail2Ban monitors logs and automatically bans IPs showing malicious patterns:

1# Install
2sudo apt install fail2ban
3
4# Create local config
5sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
6
7# Edit jail.local
8sudo nano /etc/fail2ban/jail.local

Key settings for your custom SSH port (strict - 24 hour ban after 3 failures):

1[sshd]
2enabled = true
3port = 2222
4filter = sshd
5logpath = /var/log/auth.log
6maxretry = 3
7bantime = 86400
8findtime = 600

Start and enable:

1sudo systemctl enable fail2ban
2sudo systemctl start fail2ban
3
4# Check banned IPs
5sudo fail2ban-client status sshd

5. What To Do If You Ban Yourself

If you trigger fail2ban and lock yourself out:

1. Access your VPS provider's control panel

2. Look for "KVM", "Console", or "Rescue" access

3. Connect via the web console (this bypasses SSH)

4. Unban your IP:

1# Check banned IPs
2sudo fail2ban-client status sshd
3
4# Unban your IP (replace with your actual IP)
5sudo fail2ban-client set sshd unbanip YOUR_IP_ADDRESS

5. Review your SSH config to prevent future bans:

- Ensure IdentitiesOnly yes is set

- Verify you're using the correct key

- Consider adding your IP to fail2ban whitelist (with caution):

1# Add to /etc/fail2ban/jail.local under [DEFAULT]
2ignoreip = 127.0.0.1/8 YOUR_HOME_IP

6. Monitor and Update

Set up automatic security updates:

1sudo apt install unattended-upgrades
2sudo dpkg-reconfigure unattended-upgrades

Monitor your logs regularly:

1# Watch failed SSH attempts in real-time
2sudo tail -f /var/log/auth.log
3
4# See who's currently connected
5who
6
7# Check recent login history
8last

The Result

After implementing these measures, my server went from hundreds of failed SSH attempts daily to near-zero successful intrusions. The bots still knock, but they can't get in.

OpenClaw gets more powerful the more access you give it-to your calendar, messages, files, and other services. But that also means a compromised OpenClaw server becomes more damaging. The foundation matters more here than on a typical VPS.

Want an AI-native guide? Check out the Agent Walkthrough Guide - a structured guide designed for AI agents to walk you through securing your VPS step by step, plus instructions for checking if your server has been compromised.

Stay paranoid. Stay secure.

  • Nick
Back to all posts
nickhong
.
x
y
z
X logo