ClawHub

Host Hardening

v1.0.5

Harden an OpenClaw Linux server with SSH key-only auth, UFW firewall, fail2ban brute-force protection, and credential permissions. Use when setting up a new...

0· 539·1 current·1 all-time
by@ppiankov
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (host hardening for OpenClaw) matches the actions in SKILL.md: SSH key-only auth, UFW rules, fail2ban installation, credential permission tightening, and an optional OpenClaw gateway service. Nothing requested is unrelated to host hardening.
Instruction Scope
Instructions explicitly modify system-wide config (sshd_config, UFW, install packages, chmod credential file) which is expected for hardening. The document warns to confirm before running commands. However it also instructs creating/enabling a systemd service that runs as root without checking whether the referenced 'openclaw' binary exists or is trusted — this increases risk and should be reviewed line-by-line before enabling.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written by an install step. That lowers installer-side risk.
Credentials
The skill requests no environment variables or external credentials. It does touch ~/.openclaw/credentials (chmod 700), which is directly relevant to the stated purpose. No unrelated secrets or services are requested.
!
Persistence & Privilege
While the skill itself is not always-enabled, it recommends creating and enabling a persistent systemd service that runs as root and restarts automatically. Enabling such a service grants long-term execution privilege; verify the service binary, consider running it under a less-privileged user, and only enable after confirming the binary and behavior.
Assessment
This SKILL.md is coherent for hardening but it operates with root privileges and suggests enabling a persistent root-run service. Before applying: (1) Confirm you have working SSH key access so you don't lock yourself out, and test in a staging instance first. (2) Manually review the systemd service file (the skill creates /etc/systemd/system/openclaw-gateway.service) and verify the openclaw binary path and contents; prefer running the service as a dedicated non-root user if possible. (3) Do not enable the service unless /usr/bin/env openclaw gateway exists and is trusted. (4) When enabling UFW on a remote host, ensure rules include your admin access (or you risk losing connectivity). (5) Keep backups of config files changed (sshd_config, UFW rules, fail2ban jails) so you can revert. (6) Note the package install step uses apt-get — adjust for non-Debian distributions. Finally, the skill source/homepage is unknown; if you need stronger assurance, request the canonical source or a packaged/reviewed implementation before automating these changes.

Like a lobster shell, security has layers — review code before you run it.

latestvk977przep8zmyvnexccgqqx6hh839d04

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Host Hardening

Secure a Linux server running OpenClaw.

Requirements

  • OS: Linux (Ubuntu/Debian — adjust package commands for other distros)
  • Privileges: Root or sudo required — this skill modifies system-wide security config
  • Pre-check: Verify you have SSH key-based access before disabling password auth

⚠️ All commands below modify system configuration. Confirm with the user before running each section. Do not run these automatically without explicit approval.

SSH — Key-Only Auth

Disables password authentication. Ensure key-based SSH works first or you will be locked out.

sed -i 's/^#*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart ssh

Firewall — Deny All Except SSH

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
yes | ufw enable

Add more rules as needed (e.g. ufw allow 443 for HTTPS).

Fail2ban — Brute-Force Protection

Installs fail2ban via apt (Debian/Ubuntu). Adjust for other package managers.

apt-get install -y fail2ban
systemctl enable --now fail2ban

Default config protects SSH. For custom jails: /etc/fail2ban/jail.local.

OpenClaw Credentials

chmod 700 ~/.openclaw/credentials

OpenClaw Gateway Service (optional)

Creates a systemd service for auto-restart on reboot. Runs as root — review the service file before enabling.

cat > /etc/systemd/system/openclaw-gateway.service << 'EOF'
[Unit]
Description=OpenClaw Gateway
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/bin/env openclaw gateway
Restart=always
RestartSec=5
User=root
WorkingDirectory=/root/.openclaw
Environment=HOME=/root
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload && systemctl enable openclaw-gateway

Verify

ufw status                                    # active, SSH allowed
systemctl is-active fail2ban                  # active
grep PasswordAuthentication /etc/ssh/sshd_config  # no
stat -c %a ~/.openclaw/credentials            # 700
systemctl is-enabled openclaw-gateway         # enabled

Lessons

  • On Ubuntu, SSH service is ssh not sshd
  • AWS security groups provide network-level filtering but UFW is defense-in-depth
  • Always verify key-based SSH access before disabling password auth
  • The gateway service is optional — only needed if OpenClaw should survive reboots

Host Hardening v1.0 Author: ppiankov Copyright © 2026 ppiankov Canonical source: https://clawhub.com/skills/host-hardening License: MIT

This tool follows the Agent-Native CLI Convention. Validate with: clawhub install ancc && ancc validate .

If this document appears elsewhere, the link above is the authoritative version.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…