Secure OpenClaw Installation: Lock Down All Ports

A step-by-step guide to installing OpenClaw on a VPS with maximum security. Configure your firewall, harden SSH, and isolate the gateway from the public internet.

February 8, 2026

Note: OpenClaw was previously known as MoltBot and Clawdbot. All CLI commands are interchangeable: openclaw, moltbot, clawdbot.

OpenClaw is a powerful AI assistant — but any server exposed to the internet is a potential attack surface. This guide walks you through setting up OpenClaw so that no ports are open to the outside world beyond the absolute minimum.

What You’ll End Up With

  • ✅ SSH on a non-standard port with key-only authentication (passwords disabled)
  • ✅ OpenClaw gateway bound to 127.0.0.1 (unreachable from outside)
  • ✅ Telegram/WhatsApp running over outbound connections only
  • ✅ UFW firewall with minimal rules
  • ✅ Fail2ban protecting against brute-force attacks

Requirements

  • A VPS running Ubuntu 22.04+ (DigitalOcean, Hetzner, or any provider)
  • A domain name (optional, only needed for webhooks)
  • Node.js 22+

Step 1: Initial Server Setup

Create a non-root user

# Connect as root
ssh root@your-server-ip

# Create a dedicated user
adduser clawbot
usermod -aG sudo clawbot

# Copy your SSH keys over
mkdir -p /home/clawbot/.ssh
cp ~/.ssh/authorized_keys /home/clawbot/.ssh/
chown -R clawbot:clawbot /home/clawbot/.ssh
chmod 700 /home/clawbot/.ssh
chmod 600 /home/clawbot/.ssh/authorized_keys

Harden SSH (change port, disable passwords)

sudo nano /etc/ssh/sshd_config

Set or update these values:

Port 2222                    # Non-standard port
PermitRootLogin no           # No root login
PasswordAuthentication no    # Keys only
PubkeyAuthentication yes
AllowUsers clawbot           # Only our user
sudo systemctl restart sshd

⚠️ Important: Do NOT close your current session! Open a second terminal and verify the new connection works before proceeding:

ssh -p 2222 clawbot@your-server-ip

Step 2: Configure the Firewall (UFW)

Set default rules

# Reset all existing rules
sudo ufw --force reset

# Block all incoming by default
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow only SSH on our custom port
sudo ufw allow 2222/tcp comment 'SSH'

# Enable and verify
sudo ufw enable
sudo ufw status verbose

Expected output:

Status: active

To                         Action      From
--                         ------      ----
2222/tcp                   ALLOW       Anywhere

No ports 80, 443, or 18789. OpenClaw doesn’t need any inbound connections for Telegram.

Step 3: Install OpenClaw

Install Node.js 22

curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt-get install -y nodejs
node --version  # Should output v22.x.x

Install OpenClaw globally

npm install -g openclaw

Run the setup wizard

openclaw onboard

This will walk you through connecting your first messaging platform.

Step 4: Security Configuration

Edit the config file

nano ~/.openclaw/openclaw.yaml

Lock down the gateway:

gateway:
  host: "127.0.0.1"   # Localhost only — never 0.0.0.0
  port: 18789

security:
  requireConfirmation: true   # Ask before running shell commands
  allowedUsers: []            # Fill with your Telegram user IDs

Step 5: Configure Telegram (no open ports)

Use polling mode so no inbound port is required:

channels:
  telegram:
    enabled: true
    token: "YOUR_BOT_TOKEN"
    polling: true   # Outbound connection only — no port needed

Step 6: Run as a systemd Service

sudo nano /etc/systemd/system/openclaw.service
[Unit]
Description=OpenClaw AI Gateway
After=network.target

[Service]
Type=simple
User=clawbot
WorkingDirectory=/home/clawbot
ExecStart=/usr/bin/openclaw gateway
Restart=on-failure
RestartSec=10
Environment=NODE_ENV=production

[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw
sudo systemctl status openclaw

Step 7: Fail2ban for SSH Protection

sudo apt install fail2ban -y
sudo nano /etc/fail2ban/jail.local
[sshd]
enabled = true
port    = 2222
filter  = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime  = 3600
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Security Checklist

Run this to verify your setup:

# Check open ports
ss -tlnp

# Verify firewall rules
sudo ufw status verbose

# Check OpenClaw is bound to localhost only
ss -tlnp | grep 18789
# Should show: 127.0.0.1:18789

Expected result: only port 2222 is externally reachable. The OpenClaw gateway should only appear on 127.0.0.1.

Troubleshooting

OpenClaw won’t start

journalctl -u openclaw -f

Telegram not connecting

# Test outbound connectivity
curl -s https://api.telegram.org/bot<TOKEN>/getMe

Locked out of SSH
If you get locked out, use your VPS provider’s console access to revert the SSH config.

Summary

You now have a fully locked-down OpenClaw deployment:

  • Zero unnecessary inbound ports
  • SSH hardened with key-only auth on a custom port
  • OpenClaw gateway accessible from localhost only
  • Automatic restarts via systemd
  • Brute-force protection via Fail2ban

Your AI assistant is up and running — and the attack surface is minimal.

Back to OpenClaw Hub