vps-openclaw-security-hardening

Production-ready security hardening for VPS running OpenClaw AI agents. Includes SSH hardening (custom port), firewall, audit logging, credential management, and intelligent alerting. Follows BSI IT-Grundschutz and NIST guidelines with minimal resource overhead.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "vps-openclaw-security-hardening" with this command: npx skills add MarcusGraetsch/vps-openclaw-security-hardening

VPS Security Hardening for OpenClaw

Production-ready security hardening for AI agent deployments on VPS.

⚠️ CRITICAL WARNINGS

DO NOT run OpenClaw on servers/machines with sensitive personal data. Use a dedicated machine (VPS, bare-metal, or on-premise server dedicated to OpenClaw).

Supported OS: Ubuntu 20.04+, Debian 11+. Not for Windows (use WSL2) or macOS.

⚠️ Choose Your SSH Port First

You must choose a custom SSH port (1024-65535) before installing. This makes you conscious of the security decision.

# Choose your port (example: 4848)
export SSH_PORT=4848

# Install
cd ~/.openclaw/skills/vps-openclaw-security-hardening
sudo ./scripts/install.sh

# Verify
./scripts/verify.sh

# Test SSH (new terminal)
ssh -p ${SSH_PORT} root@your-vps-ip

What It Does

LayerProtectionImplementation
NetworkFirewall, SSH hardeningUFW, custom port (your choice), key-only
SystemAuto-updates, monitoringunattended-upgrades, auditd
SecretsCredential managementCentralized .env, 600 permissions
MonitoringAudit logging, alertingKernel-level audit, multi-channel alerts

Requirements

  • OS: Ubuntu 20.04+ or Debian 11+ (Linux only)
  • NOT supported: Windows (use WSL2), macOS
  • Root access
  • Existing SSH key authentication
  • Alert channel (optional): Telegram, Discord, Slack, Email, or Webhook
  • Custom SSH port of your choice (1024-65535)

Security Changes

SSH

  • Port: 22 → ${SSH_PORT} (your choice, 1024-65535)
  • Auth: Keys only (no passwords)
  • Root login: Disabled
  • Max retries: 3
  • Fail2ban: Brute-force protection

Firewall

  • Default: Deny incoming
  • Allow: Your chosen SSH port only

Services

  • CUPS (printing): Stopped & disabled
  • Fail2ban: Intrusion detection enabled
  • Auto-updates: Security patches automatic

Monitoring

  • Credential file access tracking
  • SSH config change detection
  • Privilege escalation alerts
  • Daily security briefing

Resource Usage

ComponentRAMDisk
Auditd~2 MB40 MB max
UFW~1 MBNegligible
Scripts~5 MBNegligible
Total<10 MB<50 MB

Files

  • scripts/install.sh - Main installation
  • scripts/verify.sh - Verify installation
  • scripts/rollback-ssh.sh - Emergency rollback
  • scripts/critical-alert.sh - Telegram alerts
  • scripts/daily-briefing.sh - Daily reports
  • rules/audit.rules - Audit configuration

Documentation

See README.md for full documentation.

License

MIT - See LICENSE file

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

ZipCracker

The ultimate, high-performance ZIP password cracking suite by Hx0 Team. Empowers the Agent with autonomous CTF-level cracking workflows, dynamic dictionary g...

Registry SourceRecently Updated
0162
asaotomo
Security

clawexam

Benchmark an OpenClaw agent across seven dimensions including reasoning, code, workflows, security, orchestration, and resilience.

Registry SourceRecently Updated
086
Profile unavailable
Security

Ring Security

Monitor and manage Ring doorbells and security cameras. Query device status, review motion events, manage modes, and export event history. Use when you need...

Registry SourceRecently Updated
0150
Profile unavailable