OpenClaw Server Security & Installation
Overview
This skill guides the setup of a secure, self-hosted OpenClaw instance. It covers SSH hardening, Firewall configuration, Tailscale VPN setup, and the OpenClaw installation itself.
Workflow
Phase 1: System Hardening
- 1. Lock down SSH
- Goal: Keys only, no passwords, no root login.
- Action: Modify
/etc/ssh/sshd_config.
- Commands:
�CODEBLOCK0
- 2. Default-deny Firewall
- Goal: Block everything incoming by default.
- Action: Install and enable UFW.
- Commands:
sudo apt update && sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
Note: Ensure you have console access or a fallback before enabling if SSH is not yet allowed on another interface, though we configure Tailscale next.
- 3. Brute-force Protection
- Goal: Auto-ban IPs after failed login attempts.
- Action: Install Fail2ban.
- Commands:
�CODEBLOCK2
Phase 2: Network Privacy (Tailscale)
- 4. Install Tailscale
- Goal: Create a private VPN mesh network.
- Commands:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
-
Wait for user to authenticate the Tailscale link.
- 5. Configure SSH & Web via Tailscale
- Goal: Allow traffic only from the Tailscale subnet (100.64.0.0/10) and remove public access.
- Commands:
�CODEBLOCK4
- 6. Disable IPv6 (Optional)
- Goal: Reduce attack surface.
- Commands:
�CODEBLOCK5
Phase 3: OpenClaw Installation
- 7. Install OpenClaw
- Commands:
�CODEBLOCK6
- 8. Configure Owner Access
-
Required Input: Ask the user for their
Telegram ID.
- Action: Update the config to allowlist only that ID.
- JSON Config Target (verify location via
openclaw doctor):
�CODEBLOCK7
- 9. Secure Credentials
- Goal: Restrict file permissions.
- Commands:
�CODEBLOCK8
- 10. Final Audit
- Action: Run the built-in security audit.
- Command:
�CODEBLOCK9
Verification Status
Run to confirm:
�CODEBLOCK10
OpenClaw 服务器安全与安装
概述
本技能指导如何搭建一个安全、自托管的 OpenClaw 实例。涵盖 SSH 加固、防火墙配置、Tailscale VPN 设置以及 OpenClaw 的安装。
工作流程
第一阶段:系统加固
- 1. 锁定 SSH
- 目标:仅允许密钥登录,禁止密码登录,禁止 root 登录。
- 操作:修改 /etc/ssh/sshd_config。
- 命令:
bash
# 备份配置
sudo cp /etc/ssh/sshd
config /etc/ssh/sshdconfig.bak
# 禁用密码认证
sudo sed -i s/^#
PasswordAuthentication ./PasswordAuthentication no/ /etc/ssh/sshd_config
# 禁用 root 登录
sudo sed -i s/^#
PermitRootLogin ./PermitRootLogin no/ /etc/ssh/sshd_config
# 重新加载 SSH
sudo sshd -t && sudo systemctl reload ssh
- 2. 默认拒绝防火墙
- 目标:默认阻止所有入站流量。
- 操作:安装并启用 UFW。
- 命令:
bash
sudo apt update && sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
注意:如果尚未在其他接口上允许 SSH,请确保在启用前拥有控制台访问权限或备用方案,不过我们接下来会配置 Tailscale。
- 3. 暴力破解防护
- 目标:登录失败后自动封禁 IP。
- 操作:安装 Fail2ban。
- 命令:
bash
sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban
第二阶段:网络隐私(Tailscale)
- 4. 安装 Tailscale
- 目标:创建私有 VPN 网状网络。
- 命令:
bash
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
- 等待用户验证 Tailscale 链接。
- 5. 通过 Tailscale 配置 SSH 和 Web 服务
- 目标:仅允许来自 Tailscale 子网(100.64.0.0/10)的流量,并移除公共访问。
- 命令:
bash
# 允许通过 Tailscale 进行 SSH
sudo ufw allow from 100.64.0.0/10 to any port 22 proto tcp
# 移除公共 SSH 访问(根据需要调整规则名称/编号)
sudo ufw delete allow OpenSSH || sudo ufw delete allow 22/tcp
# 允许通过 Tailscale 访问 Web 端口
sudo ufw allow from 100.64.0.0/10 to any port 443 proto tcp
sudo ufw allow from 100.64.0.0/10 to any port 80 proto tcp
- 6. 禁用 IPv6(可选)
- 目标:减少攻击面。
- 命令:
bash
sudo sed -i s/IPV6=yes/IPV6=no/ /etc/default/ufw
if ! grep -q net.ipv6.conf.all.disable_ipv6 = 1 /etc/sysctl.conf; then
echo net.ipv6.conf.all.disable_ipv6 = 1 | sudo tee -a /etc/sysctl.conf
fi
sudo sysctl -p && sudo ufw reload
第三阶段:OpenClaw 安装
- 7. 安装 OpenClaw
- 命令:
bash
npm install -g openclaw && openclaw doctor
- 8. 配置所有者访问权限
-
必需输入: 询问用户的
Telegram ID。
- 操作:更新配置,仅将该 ID 加入白名单。
- JSON 配置目标(通过 openclaw doctor 确认位置):
json
{
dmPolicy: allowlist,
allowFrom: [YOUR
TELEGRAMID],
groupPolicy: allowlist
}
- 9. 保护凭证安全
- 目标:限制文件权限。
- 命令:
bash
chmod 700 ~/.openclaw/credentials 2>/dev/null || true
chmod 600 .env 2>/dev/null || true
- 10. 最终审计
- 操作:运行内置安全审计。
- 命令:
bash
openclaw security audit --deep
验证状态
运行以下命令确认:
bash
sudo ufw status verbose
ss -tulnp
tailscale status
openclaw doctor
