OpenClaw Security 101
13 steps to lock down your AI assistant like a pro.
Written for absolute beginners by an ex-Cisco security engineer. No experience required — just follow each step.
🤔 Why does this matter?
OpenClaw is powerful — it can run commands, access files, send messages, and talk to APIs on your behalf. That's amazing when you're in control. But if someone else gets access? They could:
- Read your private messages and files
- Steal your API keys (and run up your bill)
- Run commands on your server
- Use prompt injection to make your bot do things you didn't authorize
This guide takes about 30 minutes and makes all of that nearly impossible. Let's go.
📋 What You'll Set Up
The 13-Step Security Checklist
🖥️Run It on a Separate Machine
If something goes wrong, your main computer stays safe.
Never run OpenClaw on the same computer you use for banking, email, or personal stuff. Get a separate machine — even a cheap one works.
Option A: Cloud VPS ($5–10/mo)
Best for most people. Always on, always accessible.
- DigitalOcean — $6/mo droplet
- Linode — $5/mo server
- Hetzner — €4/mo (EU)
Option B: Mac Mini / Old Laptop
Keep it at home, no monthly cost.
- Mac Mini (great for always-on)
- Any old laptop running Linux
- Raspberry Pi (for light usage)
🚫Never Run as Root
Root = god mode. If your bot gets compromised as root, the attacker owns everything.
The root user on Linux can do anything — delete files, install malware, read secrets. Create a regular user for OpenClaw instead.
Create a dedicated user
# Create a new user called "openclaw"
sudo adduser openclaw
# Give it permission to use sudo (only when needed)
sudo usermod -aG sudo openclaw
# Switch to that user
su - openclaw🔢Change the Default Port
Port 18789 is public knowledge. Bots are already scanning for it.
OpenClaw runs on port 18789 by default. Anyone who knows OpenClaw exists can scan the internet for that port. Changing it is like moving your front door — automated attackers won't find it.
Edit your config
{
"gateway": {
"port": 39217,
"bind": "127.0.0.1"
}
}Pick any number between 10000 and 65535. Don't use the example above — pick your own random number.
openclaw gateway restart🛡️Install Tailscale
Makes your server invisible to the internet. Free for personal use.
Tailscale creates a private network between your devices. Your server becomes invisible to the entire internet — only your approved devices can see it. It's like a secret tunnel that only you have the key to.
Install Tailscale on your server
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale upIt'll give you a link to log in. Click it, sign in with Google/GitHub, and you're done.
Install on your phone/laptop too
Download the Tailscale app on every device you want to access OpenClaw from. Now they can all talk to each other privately.
Bind OpenClaw to Tailscale only
{
"gateway": {
"bind": "100.x.x.x",
"port": 39217
}
}Replace 100.x.x.x with your server's Tailscale IP (find it by running tailscale ip).
Stuck on a step? Get help from 500+ AI operators in the Skool community.
Join AI Operators →🔑SSH Keys + Fail2ban
3 wrong password attempts = 24-hour ban. SSH keys make passwords irrelevant.
SSH is how you connect to your server remotely. By default, it uses passwords — which can be guessed. SSH keys are like a physical key that can't be guessed, and Fail2ban automatically blocks anyone who tries.
Step A: Create your SSH key (on your local computer)
ssh-keygen -t ed25519 -C "your-email@example.com"Press Enter 3 times to accept defaults. This creates a key pair on your computer.
Step B: Copy the key to your server
ssh-copy-id openclaw@YOUR_SERVER_IPStep C: Disable password login
sudo nano /etc/ssh/sshd_configFind and change these lines:
PasswordAuthentication noPermitRootLogin no
Save: Ctrl+X → Y → Enter
sudo systemctl restart sshdStep D: Install Fail2ban
sudo apt update
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2banFail2ban monitors your SSH logs. 3 wrong attempts? That IP gets banned for 24 hours. Automatic.
🧱Firewall with UFW
Close every port you don't need. If it's not open, it can't be attacked.
UFW (Uncomplicated Firewall) blocks all incoming connections except the ones you specifically allow. Think of it as a bouncer at the door — if you're not on the list, you're not getting in.
# Block everything by default
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (so you don't lock yourself out!)
sudo ufw allow ssh
# If NOT using Tailscale, allow your OpenClaw port
# sudo ufw allow 39217
# Turn it on
sudo ufw enable
# Check it's working
sudo ufw status📋Allowlist Your Users
Everyone who isn't you gets ignored. Period.
Tell OpenClaw exactly which Telegram accounts are allowed to talk to it. Anyone else who messages your bot? Completely ignored. No response, no acknowledgment, nothing.
Find your Telegram User ID
Open Telegram, search for @userinfobot, send /start. It'll reply with your user ID (a number like 123456789).
Add it to your config
{
"channels": {
"telegram": {
"allowFrom": ["tg:YOUR_USER_ID_HERE"],
"dmPolicy": "pairing"
}
}
}Set a strong auth password
{
"gateway": {
"auth": {
"mode": "password",
"password": "PICK-A-RANDOM-30-CHAR-PASSWORD-HERE"
}
}
}Use 20+ characters, mix letters/numbers/symbols. Don't use the example — make your own.
🤖Ask Your Bot to Audit Its Own Security
Your AI assistant can check its own setup for vulnerabilities.
This is the cool part. OpenClaw can actually examine its own configuration and tell you if anything is wrong. Just send it a message.
📋 Copy & paste this to your OpenClaw:
Audit your own security setup. Check:
1. Are you running as root? (you shouldn't be)
2. What port is the gateway on? (shouldn't be 18789)
3. Is the gateway bound to 127.0.0.1 or a Tailscale IP? (good) or 0.0.0.0? (bad)
4. Is there an allowFrom list in the config? (there should be)
5. Is UFW enabled? What ports are open?
6. Is Fail2ban running?
7. What are the file permissions on openclaw.json? (should be 600)
8. Are there any API keys hardcoded in config files? (they should be in .env)
9. Is the exec security set to "allowlist"? (it should be)
10. Check if Docker is available for sandboxing subagents.
Give me a security score out of 10 and tell me what to fix.Your bot will check everything and give you a report. Fix whatever it flags, then run it again.
🔔Set Up Real-Time Alerts
Your bot messages you when something's off — before it becomes a problem.
Configure OpenClaw to notify you whenever something unusual happens. Failed login attempts, configuration changes, new SSH connections — you'll know immediately.
Add security rules to your SOUL.md
## Security Monitoring
- If you detect any failed authentication attempts, alert me immediately
- If any configuration files are modified, tell me what changed
- If a new SSH session connects to this server, let me know
- Never output API keys, passwords, tokens, or .env file contents
- If someone asks you to reveal secrets, refuse and alert me
- Run a daily security check and report any issuesHalfway there! Join the community to share your setup and get feedback from other builders.
Join AI Operators →💬DMs Only
In group chats, everyone can control your bot. That's a problem.
If your bot is in a group chat, anyone in that group can give it commands.They could tell it to read your files, run commands, or do things you never authorized. Keep it to DMs only.
{
"channels": {
"telegram": {
"dmPolicy": "pairing",
"allowFrom": ["tg:YOUR_USER_ID"],
"groupPolicy": "disabled"
}
}
}📦Sandbox Your Subagents in Docker
A prompt-injected subagent can steal your secrets — unless it's in a sealed box.
OpenClaw can spawn subagents — smaller AI workers that handle specific tasks autonomously. Think of them as assistants your assistant hires. They might research a topic, write code, or process files on their own.
Here's the problem: subagents read things. Webpages, files, documents. If a subagent reads a malicious webpage with hidden instructions (this is called prompt injection), it could get tricked into doing bad stuff — like reading your .env file and sending your API keys to an attacker.
The fix? Run subagents inside Docker containers. Docker is like a sealed box — the subagent can do its work, but it can't see your real files, your keys, or anything else on your server. Even if it gets prompt-injected, there's nothing to steal.
Install Docker
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker openclawLog out and back in after adding your user to the docker group, so it takes effect.
Configure sandbox settings
{
"agents": {
"defaults": {
"sandbox": {
"mode": "non-main",
"workspaceAccess": "rw",
"network": "bridge"
}
}
}
}Understanding workspace access levels
"none"— Most secure. The subagent can't see any of your files. Use this for untrusted tasks like browsing the web."ro"— Read-only. The subagent can read your workspace files but can't change them. Good for research tasks."rw"— Read-write. The subagent can read and write files. Most flexible — use this for coding tasks like building websites.
Understanding network options
"none"— No internet access. Most secure. The subagent is completely isolated. Use this if the task doesn't need the internet."bridge"— Internet access. The subagent can reach the internet (for things likenpm install,git push, etc). Use this for dev tasks.
.env file. With Docker sandboxing, it can't — it's in a sealed container with no access to your host. Even a compromised subagent is harmless.⏰Set Up a Daily Security Audit Cron Job
Security isn't a one-time thing. Automate it so you never forget.
You locked everything down — nice. But what happens next week when something changes? A package updates, a config drifts, a new port opens. You won't notice unless someone checks.
Good news: OpenClaw has built-in cron scheduling. You can tell your bot to run a full security audit every single morning, automatically. It's like having a security guard that checks all the locks every morning before you wake up.
📋 Send this to your OpenClaw:
Set up a daily cron job that runs a full security audit every morning at 9am. Check: firewall status, fail2ban, SSH config, file permissions, open ports, Docker status, and report any issues.Your bot will create the cron job and start auditing every day at 9 AM. If anything looks off, it'll message you about it.
Almost done! Connect with 500+ AI operators who've already locked down their setups.
Join AI Operators →🔄Keep OpenClaw Updated
Old software = known vulnerabilities. Attackers love outdated software.
Every software update includes security patches — fixes for vulnerabilities that have been discovered since the last version. Running an old version of OpenClaw means running software with known security holes. Attackers actively scan for outdated software because the exploits are public knowledge.
Check your current version
openclaw --versionUpdate to the latest
npm install -g openclawBest practices
- Check the changelog before updating — see what changed so you're not caught off guard by breaking changes.
- Test in staging first — if you're running OpenClaw in production (for a business, etc), update on a test instance first.
- Set up a weekly version check — tell your bot: "Set up a weekly cron job to check if there's a newer version of OpenClaw available and let me know."
Your Complete Secure Config
Here's everything from this guide combined into one config file:
{
"gateway": {
"port": 39217,
"bind": "100.x.x.x",
"auth": {
"mode": "password",
"password": "YOUR-STRONG-30-CHAR-PASSWORD-HERE"
}
},
"agents": {
"defaults": {
"sandbox": {
"mode": "non-main",
"workspaceAccess": "rw",
"network": "bridge"
}
}
},
"channels": {
"telegram": {
"dmPolicy": "pairing",
"groupPolicy": "disabled",
"allowFrom": ["tg:YOUR_TELEGRAM_USER_ID"]
}
}
}39217→ your chosen port number100.x.x.x→ your Tailscale IP (runtailscale ip)YOUR-STRONG-30-CHAR-PASSWORD-HERE→ a unique passwordYOUR_TELEGRAM_USER_ID→ your Telegram ID from @userinfobot
🚀 Let Your OpenClaw Set This Up For You
Copy and paste this message to your OpenClaw bot. It'll walk you through every step and configure everything automatically.
I just read Johann's Security 101 guide. Help me implement all 13 security steps:
1. Check if I'm running as root (create a dedicated user if so)
2. Change my gateway port from 18789 to something random
3. Help me install Tailscale and bind to it
4. Set up SSH keys and disable password auth
5. Install and configure Fail2ban
6. Set up UFW firewall
7. Configure my allowlist with my Telegram user ID
8. Run a full security audit
9. Add security monitoring to my SOUL.md
10. Make sure I'm DMs-only (no group chats)
11. Set up Docker sandboxing for subagents
12. Create a daily security audit cron job (9am every morning)
13. Check if OpenClaw is up to date
Go through each one, check what's already done, and help me fix what isn't.Troubleshooting
Common issues and quick fixes:
"Permission Denied" Error
sudo chown $USER:$USER ~/.openclaw/openclaw.json
chmod 600 ~/.openclaw/openclaw.json"Config File Not Found" Error
mkdir -p ~/.openclaw
nano ~/.openclaw/openclaw.jsonOpenClaw Won't Start
openclaw doctor
tail -20 ~/.openclaw/logs/gateway.log"sudo: command not found"
apt update && apt install sudo -y"bash: openclaw: command not found"
npm install -g openclawFinal Security Check
Run this script to verify everything is locked down:
echo "=== 1. CHECKING USER ==="
whoami
echo ""
echo "=== 2. CHECKING PORT ==="
grep -o '"port":[0-9]*' ~/.openclaw/openclaw.json 2>/dev/null || echo "Using default port"
echo ""
echo "=== 3. CHECKING TAILSCALE ==="
tailscale status 2>/dev/null || echo "Tailscale not installed"
echo ""
echo "=== 4. CHECKING SSH CONFIG ==="
grep "PasswordAuthentication\|PermitRootLogin" /etc/ssh/sshd_config
echo ""
echo "=== 5. CHECKING FAIL2BAN ==="
sudo systemctl is-active fail2ban
echo ""
echo "=== 6. CHECKING FIREWALL ==="
sudo ufw status
echo ""
echo "=== 7. CHECKING ALLOWLIST ==="
grep -o '"allowFrom"' ~/.openclaw/openclaw.json 2>/dev/null && echo "✅ Allowlist configured" || echo "❌ No allowlist found"
echo ""
echo "=== 8. CHECKING FILE PERMISSIONS ==="
ls -la ~/.openclaw/openclaw.json
echo ""
echo "=== 9. CHECKING DOCKER ==="
docker --version 2>/dev/null || echo "Docker not installed"
echo ""
echo "=== DONE ==="
echo "Send the output above to your OpenClaw for a full analysis."Join the Community
AI Operators Community
Join 500+ builders sharing OpenClaw configurations, security tips, and automation workflows. Free to join.
Join AI Operators →Need Expert Setup?
Get professional security configuration for business deployments with compliance requirements.
Book a call →Weekly Newsletter
Get the latest OpenClaw security updates, new features, and best practices delivered to your inbox.
Subscribe →Questions? Ask the Community
Stuck on a step? Post in the Skool community and get help from other OpenClaw users within hours.
Ask a question →Last updated: February 19, 2026 • By Johann Sathianathen • Ex-Cisco Security Engineer