Do I need to change my SSH port?

Not required. Disabling password login + disabling root login + using keys is a bigger win. If you change the port, also update the firewall rule and make sure you do not lock yourself out.

Is UFW enough as a firewall?

UFW is a good baseline on Ubuntu/Debian. If your VPS provider also offers a cloud firewall, use both: cloud firewall to drop traffic before it hits the box, and UFW as the local guardrail.

Should I install fail2ban?

Yes for most public VPS setups. It is cheap protection against noisy brute force attempts on SSH and common web endpoints.

How do I expose OpenClaw safely to the internet?

Prefer binding OpenClaw to localhost and putting a TLS reverse proxy (Caddy/Nginx) in front on port 443. Only open the minimum ports (typically 22, 80, 443) and keep admin endpoints behind auth.

OpenClaw VPS Hardening Checklist (Practical, Copy/Paste)

Updated: 2026-03-21 • Category: VPS / OpenClaw

Direct answer: If you run OpenClaw on a public VPS, harden it in this order: SSH keys (no passwords), firewall (open only what you use), automatic security updates, fail2ban, then expose OpenClaw via HTTPS reverse proxy (prefer binding OpenClaw to 127.0.0.1).

View Hostinger VPS plans

Disclosure

What this checklist assumes

Ubuntu/Debian VPS with sudo
You can SSH into the box
You want a secure baseline, not a PhD in threat models

Fast path: copy/paste baseline (safe defaults)

This gives you a decent baseline quickly. You will still need to edit sshd_config and (optionally) add a reverse proxy later.

# 0) update packages
sudo apt update
sudo apt -y upgrade

# 1) basic firewall
sudo apt install -y ufw
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw --force enable
sudo ufw status

# 2) fail2ban (SSH brute-force noise reducer)
sudo apt install -y fail2ban
sudo systemctl enable --now fail2ban
sudo fail2ban-client status

# 3) unattended security updates
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

Step 1 — SSH: keys only, no root, no password login

Most VPS compromises start with boring stuff. Fix boring stuff first.

Create a non-root user (if you do not already have one).
Add your SSH public key.
Disable password auth and root login.

# create a user (pick your own username)
sudo adduser claw
sudo usermod -aG sudo claw

# on the VPS: add your key
sudo -u claw mkdir -p /home/claw/.ssh
sudo -u claw chmod 700 /home/claw/.ssh
sudo -u claw nano /home/claw/.ssh/authorized_keys
sudo -u claw chmod 600 /home/claw/.ssh/authorized_keys

Edit /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Then restart SSH:

sudo systemctl restart ssh
sudo systemctl status ssh --no-pager

Pitfall: do not close your current SSH session until you confirm you can log in with the new user + key in a fresh session.

Step 2 — Firewall: open the minimum ports

If you only need SSH + HTTPS, do not leave random ports open “just in case”. That is how you get “surprise services”.

# SSH (22) + web (80/443). Add others only if you truly need them.
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw status verbose

More sections continue below (fail2ban, updates, reverse proxy, backups). This page is long by design — the right defaults are boring.