Securing Your OpenClaw Instance: SSL, Firewall & Auth Best Practices

A self-hosted OpenClaw AI assistant gives you full control over your data and conversations — but that control comes with responsibility. An improperly secured server exposes your AI provider API keys, your conversation history, and potentially your entire VPS to the internet. This guide walks through the essential hardening steps every OpenClaw installation should have in place.

1. Nginx SSL Termination with Let’s Encrypt

If you followed the VPS install guide, you already have SSL configured. Here’s how to verify it’s set up correctly and auto-renewing.

Check your Certbot certificate status:

sudo certbot certificates

You should see your domain listed with an expiry date. Certbot auto-renews certificates before they expire — verify the renewal timer is active:

sudo systemctl status certbot.timer

To test renewal manually without actually renewing:

sudo certbot renew --dry-run

Ensure your nginx config enforces HTTPS and redirects HTTP requests:

server {
    listen 80;
    server_name ai.yourdomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name ai.yourdomain.com;
    ssl_certificate /etc/letsencrypt/live/ai.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ai.yourdomain.com/privkey.pem;

    location / {
        proxy_pass http://localhost:18789;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

2. UFW Firewall Rules

OpenClaw runs on port 18789 by default. This port should not be exposed to the public internet — traffic should only reach OpenClaw via nginx on ports 80 and 443. Configure UFW to enforce this:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp    # SSH
sudo ufw allow 80/tcp    # HTTP (for Let's Encrypt and redirects)
sudo ufw allow 443/tcp   # HTTPS (all web traffic)
sudo ufw enable
sudo ufw status

Do not add a rule for port 18789. OpenClaw should be internal-only, proxied through nginx. Verify there’s no public exposure:

sudo ss -tlnp | grep 18789

The output should show 127.0.0.1:18789, confirming it’s bound to localhost only. If you see 0.0.0.0:18789, edit your OpenClaw config to bind to localhost:

server:
  host: "127.0.0.1"
  port: 18789

3. OpenClaw Authentication Config

OpenClaw’s built-in authentication prevents unauthorised access to the web interface and API endpoints. At minimum, set a strong admin password in your config:

auth:
  enabled: true
  admin_password: "use-a-long-random-string-here"
  api_key: "another-long-random-string-for-api-access"

Generate secure values with:

openssl rand -hex 32

Run that command twice to get separate values for admin_password and api_key.

For teams using the OpenClaw Business tier, also configure allowed user IDs per channel in the channel config — this ensures only your team members can interact with the AI, even if someone discovers the bot’s Telegram or Discord handle.

4. Fail2ban for SSH Protection

Brute-force SSH attacks are constant on any public-facing VPS. Fail2ban automatically bans IPs that make repeated failed login attempts:

sudo apt-get install -y fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Create a local config override at /etc/fail2ban/jail.local:

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true
port = 22

This bans any IP that fails SSH login 5 times within 10 minutes, for 1 hour. Adjust bantime upward (e.g., 86400 for 24 hours) for stricter protection.

Verify fail2ban is running and monitoring SSH:

sudo fail2ban-client status sshd

5. Disable Password SSH Authentication

The strongest SSH protection is to disable password authentication entirely and require SSH keys:

sudo nano /etc/ssh/sshd_config

Set these values:

PasswordAuthentication no
PermitRootLogin prohibit-password
PubkeyAuthentication yes

Restart SSH:

sudo systemctl restart sshd

Ensure you have your SSH key working before making this change, or you will lock yourself out.

6. Keeping OpenClaw Updated

OpenClaw is actively maintained as an open-source project. Security patches and dependency updates are released regularly. Build a habit of updating your installation monthly:

cd /opt/openclaw
git pull origin main
npm install
pm2 restart openclaw

Also keep your system packages current:

sudo apt-get update && sudo apt-get upgrade -y

Enable unattended security upgrades for the OS:

sudo apt-get install -y unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Security Checklist

Before considering your OpenClaw instance secure, verify all of these:

• HTTPS enforced with valid Let’s Encrypt certificate
• Port 18789 bound to localhost only (not 0.0.0.0)
• UFW active: only 22, 80, 443 open
• OpenClaw auth enabled with strong password
• Fail2ban installed and monitoring SSH
• Password SSH authentication disabled
• Auto-updates enabled for OS security patches

Need a Professionally Maintained Instance?

Security configuration is one of the most common areas where self-managed OpenClaw installations fall short. A single misconfigured firewall rule or an outdated dependency can expose your entire server. Our OpenClaw maintenance service keeps your instance patched, monitored, and hardened — so you can focus on using your AI assistant, not securing it.