NemoClam configures all of this automatically — UFW, fail2ban, SSH key-only auth, and auto security updates are active from the moment your instance launches. Start free →
Why OpenClaw security matters more than a web server
OpenClaw has system-level permissions. It can run terminal commands, read and write files, send emails, and make API calls — autonomously. A compromised OpenClaw instance is far more dangerous than a compromised web server. The attack surface includes your SSH credentials, your LLM API keys, your Telegram bot token, your email access, and any data your agent has processed.
1. SSH key authentication (critical)
# Generate an SSH key pair if you don't have one
ssh-keygen -t ed25519 -C "your@email.com"
# Copy public key to server
ssh-copy-id root@YOUR_SERVER_IP
# Disable password authentication
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd
2. Firewall with UFW (critical)
apt-get install -y ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh # port 22
ufw --force enable
# Verify
ufw status verbose
3. Fail2ban for SSH brute-force protection
apt-get install -y fail2ban
# Verify it's watching SSH
fail2ban-client status sshd
# Output: Status for jail: sshd — Currently banned: 0
4. Keep API keys secure
- Never commit
~/.openclaw/openclaw.jsonto Git — it contains your API keys and bot token - Use environment variables for secrets rather than hardcoding in config files
- Rotate API keys immediately if you suspect compromise
- Use separate API keys for your OpenClaw agent — not your main development key
5. Automatic security updates
apt-get install -y unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades
# Verify configuration
cat /etc/apt/apt.conf.d/20auto-upgrades
6. Encrypted daily backups
# Back up agent memory, config, and skills daily
cat > /opt/openclaw-backup.sh << 'EOF'
#!/bin/bash
DATE=$(date +%Y%m%d)
tar -czf /tmp/oc-backup-$DATE.tar.gz \
~/.openclaw /opt/openclaw/memory \
/opt/openclaw/skills
# Upload to object storage (configure s3cmd first)
s3cmd put /tmp/oc-backup-$DATE.tar.gz s3://YOUR_BUCKET/
rm /tmp/oc-backup-$DATE.tar.gz
EOF
chmod +x /opt/openclaw-backup.sh
(crontab -l; echo "0 17 * * * /opt/openclaw-backup.sh") | crontab -
Security checklist summary
- SSH key authentication enabled, password auth disabled
- UFW firewall active, only SSH allowed inbound
- Fail2ban watching SSH login attempts
- Automatic security updates configured
- API keys not committed to version control
- Daily encrypted backups to remote storage
- OpenClaw running on dedicated VPS (not your main machine)
- Health check endpoint restricted to localhost only