Security guide

Manual: Private AI Server (Hardened VPS)

Guide for the secure installation and maintenance of OpenClaw (Clawdbot) on a hardened VPS.

Recommended procedure: system hardening, non-root user, firewall, key-based SSH, private perimeter (Tailscale), service persistence and automatic security updates.

⚠️ Execute the steps in the given order to avoid locking yourself out of the server.

Prefer a server already configured and secure? Learn about our managed service →

Preparation and secure user

Create a non-root user before hardening access.

Create new user

Replace 'alex' with the desired username.

adduser alex  # Change 'alex' to your name
usermod -aG sudo alex

Copy SSH keys to new user

Run from your local machine.

ssh-copy-id alex@YOUR_SERVER_IP

Log in as the new user

Do not continue if the connection fails.

ssh alex@YOUR_SERVER_IP

System hardening

Firewall, automatic updates and SSH restriction.

Update and automate patches

sudo apt update && sudo apt upgrade -y
sudo apt install unattended-upgrades fail2ban -y
sudo dpkg-reconfigure -plow unattended-upgrades

Configure basic Firewall (UFW)

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable

Disable SSH passwords and root login

sudo nano /etc/ssh/sshd_config

# After editing the directives below, restart the service:
sudo systemctl restart ssh

Locate and set the following directives:

PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes

Private perimeter (Tailscale)

Restrict the server to the Tailscale private network.

Install Tailscale

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Restrict SSH to private network only

# Allow traffic from Tailscale internal subnet
sudo ufw allow from 100.64.0.0/10 to any port 22 proto tcp

# Remove the rule that opened SSH to the whole world
sudo ufw delete allow ssh

OpenClaw (Clawdbot) installation and persistence

Bot installation, credential permissions and PM2 automatic startup.

Install Node.js and PM2

curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install -y nodejs
sudo npm install -g pm2

Install and configure the Bot

npm install -g clawdbot
clawdbot doctor

Secrets permissions (Critical)

chmod 700 ~/.clawdbot/credentials
chmod 600 .env  # If using env file

Configure automatic startup

pm2 start clawdbot --name "ai-bot"
pm2 save
pm2 startup
# (Copy and paste the command the terminal returns)

Final audit

Verify hardening and exposed ports.

Run app audit

clawdbot security audit --deep

Verify open ports

In the "Local Address" column, 0.0.0.0 (public) should not appear on sensitive ports except SSH if phase 3 has not yet been applied.

sudo ufw status verbose
ss -tulnp | grep LISTEN

Security summary achieved

✅

Key-based access: exclusive access via private SSH key.

✅

Private perimeter: server does not respond to external pings (outside Tailscale).

✅

Updates and resilience: automatic patches and service restart on failure.

✅

Least privilege: credentials and sensitive files with restricted permissions.

Server + security + OpenClaw installed. No terminal required. View the offer →