Recent scans have revealed over 900 OpenClaw instances exposed publicly. If you are running OpenClaw, security isn't a "nice to have." It is a requirement.
The 6 Security Layers
- Network Isolation: Bind to 127.0.0.1, not 0.0.0.0.
- Firewall (UFW): Deny all, allow only SSH.
- Gateway Auth: Use long, random tokens.
- Fail2ban: Stop brute-force attacks.
- Auto-Updates: Patch your OS automatically.
- SSH Hardening: Disable passwords, use keys.
1. Network Isolation
The single biggest mistake is binding to 0.0.0.0. Always bind to 127.0.0.1.
OPENCLAW_GATEWAY_HOST=127.0.0.12. SSH Hardening
Disable password authentication in /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes3. The Docker Trap
Docker bypasses UFW by default. Always bind to 127.0.0.1 in your port mapping:
docker run -p 127.0.0.1:8080:8080 openclaw/gateway