{"skill":{"slug":"security-network-hardening","displayName":"Security Network Hardening","summary":"Audit and harden an OpenClaw host and its network exposure. Use for security checks, hardening, firewall setup, network exposure review, metrics endpoint res...","description":"---\nname: security-network-hardening\ndescription: Audit and harden an OpenClaw host and its network exposure. Use for security checks, hardening, firewall setup, network exposure review, metrics endpoint restriction, OpenClaw gateway security fixes, or step-by-step remediation on a Linux host running OpenClaw.\n---\n\n# Security + Network Hardening\n\nAudit first, then harden with explicit approval. Keep this file short; read the references when needed.\n\n## Core rules\n\n- Start read-only unless the user explicitly asks for fixes.\n- Require confirmation before any state-changing action.\n- Preserve current management access; do not break SSH/RDP/VNC.\n- Prefer exact findings over generic advice.\n- After workspace edits, commit them.\n\n## Read-only baseline\n\nRun:\n\n```bash\nuname -a\ncat /etc/os-release\nid\nss -ltnup 2>/dev/null || ss -ltnp 2>/dev/null\nopenclaw security audit --deep\nopenclaw update status\nopenclaw status --deep\n```\n\nIf firewall state matters, also run:\n\n```bash\nufw status verbose || true\nfirewall-cmd --state 2>/dev/null || true\nnft list ruleset 2>/dev/null || true\n```\n\n## Priorities\n\nCheck for these first:\n1. elevated wildcard access in `tools.elevated.allowFrom.*`\n2. writable credentials directories\n3. missing gateway auth rate limiting\n4. broad or unclear listening ports\n5. metrics endpoints exposed too widely\n6. ineffective custom `gateway.nodes.denyCommands`\n7. workspace skill symlink escapes\n\n## Fix patterns\n\nRead these only when relevant:\n- UFW/firewall workflow: `references/ufw-playbook.md`\n- OpenClaw config fixes: `references/openclaw-fix-patterns.md`\n\n## Artifact generation\n\nWhen the user wants generated files, create:\n- `firewall-rules.md`\n- `apply-firewall.sh`\n- `scripts/rollback-firewall.sh`\n- `scripts/verify-firewall.sh`\n\n## Safe firewall order\n\n1. Confirm allowed source subnet/IPs.\n2. Add SSH rule first if SSH is in use.\n3. Apply LAN-only and single-host rules.\n4. Verify from expected clients.\n5. Re-check `ufw status verbose` and `ss -ltnp`.\n\n## Verification\n\nAfter fixes, verify with:\n\n```bash\nopenclaw security audit --deep\nopenclaw gateway status\npython3 -m json.tool ~/.openclaw/openclaw.json >/dev/null\nsudo ufw status verbose\nss -ltnp\n```\n\nSuccess means:\n- no critical audit findings\n- no warning audit findings when practical\n- gateway reachable\n- required ports reachable only from approved sources\n","tags":{"latest":"1.0.0"},"stats":{"comments":0,"downloads":877,"installsAllTime":33,"installsCurrent":4,"stars":0,"versions":1},"createdAt":1773651010145,"updatedAt":1778491943830},"latestVersion":{"version":"1.0.0","createdAt":1773651010145,"changelog":"Initial release: OpenClaw security audit, firewall hardening, references, rollback and verify scripts.","license":"MIT-0"},"metadata":null,"owner":{"handle":"jimpang8","userId":"s1736wtx4czmawjbjssf1gqs0n8841tq","displayName":"jimpang8","image":"https://avatars.githubusercontent.com/u/27860553?v=4"},"moderation":null}