OpenClaw is only as safe as the VPS it runs on. This article walks through a practical “secure-by-default” baseline for a Hetzner Cloud VM: deny-by-default inbound at the cloud perimeter, mirror that posture on the host with UFW, enforce SSH key-only access for an unprivileged sudo user, and add fail2ban to reduce noisy internet traffic.
TL;DR checklist
- Hetzner Cloud Firewall: deny inbound by default; allow SSH only (prefer allowlisting)
- UFW: deny incoming; allow outgoing; allow SSH
- SSH: non-root sudo user; key-only; no root login
- fail2ban: enable sshd jail (defence-in-depth)
- Unattended security updates enabled; agree on a reboot habit
- Keep admin surfaces private (loopback/private/Tailscale) unless deliberately hardened and exposed
1) Deny-by-default at the perimeter (Hetzner Cloud Firewall)
Create a Cloud Firewall and attach it to your OpenClaw server. For a baseline, allow inbound only on TCP 22 (SSH), and restrict the source to your trusted IPs.
If your home IP changes often, prefer a private network like Tailscale (or WireGuard) for admin access instead of chasing allowlist updates.
Reference: https://docs.hetzner.com/cloud/firewalls/overview/
2) Mirror the posture on the host (UFW)
sudo apt update
sudo apt install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw enable
sudo ufw status verbose3) SSH keys only (and no root login)
Create a dedicated sudo user and install your public key:
sudo adduser claw
sudo usermod -aG sudo clawBefore disabling passwords, open a second terminal and confirm you can log in with your key.
Then harden /etc/ssh/sshd_config and validate before reloading:
PasswordAuthentication no
PermitRootLogin no
AllowUsers clawsudo sshd -t && sudo systemctl reload ssh4) fail2ban (reduce noise and repeated failures)
sudo apt install -y fail2ban
sudo systemctl enable --now fail2ban
sudo fail2ban-client status sshd5) Patch hygiene (unattended upgrades)
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades