HomeTutorialsOpenClaw VPS Security
    — VPS & Security

    Secure Your OpenClaw VPS in Under 10 Minutes

    Set up Fail2Ban and UFW on your VPS in minutes. Protect your OpenClaw server from brute-force attacks and unauthorized access — no Linux experience required.

    Table of Contents

    1. 01.Why This Matters for OpenClaw Users
    2. 02.Part 1: Setting Up Fail2Ban
    3. 03.Customising the Configuration
    4. 04.Part 2: Enabling UFW (Uncomplicated Firewall)
    5. 05.Quick Reference: All Commands
    6. 06.Frequently Asked Questions
    — Watch the Full Tutorial

    If you've just set up OpenClaw on a VPS, you've done the hard part. But there's one thing most people skip that can cost them everything — proper server hardening.

    Here's the uncomfortable truth: the moment your VPS goes live, it's being probed. Not eventually. Right now. Automated bots scan entire IP ranges around the clock looking for servers with weak or default credentials. If you run a tool like journalctl or check your auth logs, you'll be shocked by the number of failed login attempts sitting there — often in the hundreds, within hours of deployment.

    This guide covers two essential layers of protection you can set up in minutes, with no prior Linux experience required.

    Why This Matters for OpenClaw Users

    Your OpenClaw setup on a VPS isn't just a server — it's your agent workspace. It likely contains API keys, tool configurations, credentials, and the full context of your automation pipelines. If someone gets in, they get access to all of that.

    The good news is that you don't need to become a sysadmin to protect it. Two lightweight tools — Fail2Ban and UFW — handle the majority of attack vectors with minimal configuration.

    Part 1: Setting Up Fail2Ban

    Fail2Ban is a service that watches your server's login logs and automatically bans IP addresses that fail authentication too many times. It's lightweight, runs silently in the background, and starts protecting you the moment it's installed.

    Installation

    These steps work on any Ubuntu or Debian VPS, regardless of your hosting provider — Contabo, DigitalOcean, Hostinger, all use the same commands.

    First, SSH into your VPS. On Windows, open PowerShell and run:

    ssh root@YOUR_VPS_IP

    On Mac, use the Terminal app with the same command. If it's your first time connecting, you'll be prompted to accept the server fingerprint — type yes and press Enter.

    Once connected, install Fail2Ban:

    sudo apt install fail2ban -y

    Enabling the Service

    After installation, enable and start the service so it runs automatically — including after any server reboots:

    sudo systemctl enable --now fail2ban

    That's it. Fail2Ban is already working. You can verify it's active and see banned IPs with:

    sudo fail2ban-client status sshd

    Within minutes of running this on a fresh VPS, you'll likely see a list of IPs that have already been blocked. It's a sobering reminder of how actively servers get scanned.

    Customising the Configuration (Optional but Recommended)

    Fail2Ban works out of the box, but the default settings are fairly lenient. Here's how to tighten them.

    Navigate to the configuration directory:

    cd /etc/fail2ban
ls

    You'll see a file called jail.conf. The key rule here: never edit this file directly. Updates to Fail2Ban can overwrite it. Instead, create a local copy that Fail2Ban will prioritise:

    cp jail.conf jail.local

    Now open the local file with the Nano text editor:

    sudo apt install nano -y
sudo nano /etc/fail2ban/jail.local

    Scroll down until you find three settings:

    • findtime — the time window for counting failed attempts
    • maxretry — how many failures before a ban kicks in
    • bantime — how long an IP stays banned

    The defaults are 5 failures within 10 minutes, resulting in a 10-minute ban. A more aggressive but sensible configuration:

    findtime  = 10m
maxretry  = 3
bantime   = 1h

    This bans anyone after 3 failed logins within 10 minutes, for a full hour.

    One important caveat: if you forget your own password and fail three times, you'll lock yourself out too. To prevent this, find the ignoreip line and add your home IP address to the whitelist:

    ignoreip = 127.0.0.1/8 YOUR_HOME_IP

    If you use a VPN at home (like many people do), your IP changes constantly — in that case, skip the whitelist and just make sure you have your credentials saved somewhere reliable.

    To save in Nano: press Ctrl+X, then Y, then Enter.

    After saving, restart Fail2Ban to apply the changes:

    sudo systemctl restart fail2ban

    Part 2: Enabling UFW (Uncomplicated Firewall)

    Fail2Ban handles brute force attempts. UFW handles everything else — it controls which network traffic is even allowed to reach your server in the first place. With UFW active, anything hitting an unallowed port gets silently dropped, as if that port doesn't exist.

    Many major VPS providers (Contabo, DigitalOcean) have all ports open by default. Some providers like Hetzner and Ionos require you to open ports manually. Either way, installing UFW gives you full control.

    Check What Ports You're Using

    Before enabling UFW, list all currently active ports so you know what to allow:

    sudo ss -tulnp

    This shows every port currently listening. A few things to understand when reading the output:

    • Addresses starting with 127. are local only — these are internal processes not exposed to the internet and don't need to be allowed through the firewall
    • Addresses starting with 0.0.0.0 or ::: are publicly exposed — these are the ones you need to consider

    For a standard OpenClaw-only VPS, the only public-facing port you typically need is port 22, which is the SSH port. OpenClaw's own ports run locally and don't need to be publicly reachable.

    Allowing SSH Before Enabling the Firewall

    This step is critical. Always allow the SSH port before enabling UFW, or you risk locking yourself out of your own server.

    sudo ufw allow 22/tcp

    Enabling the Firewall

    Now you can safely enable UFW:

    sudo ufw enable

    UFW will warn you that this may disrupt SSH connections. That's expected — and exactly why you allowed port 22 first. Press Y and Enter to confirm.

    Verify that the firewall is active and check which rules are applied:

    sudo ufw status

    Verify Your Connection

    Before closing your terminal, open a new terminal window and try to SSH into the server again:

    ssh root@YOUR_VPS_IP

    If you connect successfully, everything is working correctly. The SSH port is open, the firewall is active, and all other traffic is being dropped.

    If for any reason you can't reconnect (rare, but possible if there's a port conflict), go back to your existing session and run:

    sudo ufw disable

    Then troubleshoot which port you missed. The ss -tulnp output from earlier is your reference.

    Quick Reference: All Commands in Order

    # 1. Install and enable Fail2Ban
sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban

# 2. Check Fail2Ban status
sudo fail2ban-client status sshd

# 3. Create local Fail2Ban config (don't edit jail.conf directly)
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo apt install nano -y
sudo nano /etc/fail2ban/jail.local

# 4. Restart Fail2Ban after config changes
sudo systemctl restart fail2ban

# 5. Check open ports
sudo ss -tulnp

# 6. Allow SSH port (BEFORE enabling firewall)
sudo ufw allow 22/tcp

# 7. Enable UFW firewall
sudo ufw enable

# 8. Check firewall status
sudo ufw status

# 9. Disable firewall (emergency rollback)
sudo ufw disable

    Frequently Asked Questions

    Do I need to do this even if my VPS provider has a firewall dashboard?

    Yes. Provider-level firewalls and UFW operate at different layers. Provider firewalls filter traffic before it reaches your server; UFW handles it on the server itself. Having both is better than relying on one.

    Will this break my OpenClaw setup?

    Not if you follow the steps in order. OpenClaw's agent ports are all local — they're not exposed publicly, so UFW won't affect them. The only port you need to keep open is port 22 for SSH access.

    How do I know Fail2Ban is actually working?

    Run sudo fail2ban-client status sshd — it shows you exactly how many IPs have been banned and which jails are active. On an unprotected server that's been running for even a few hours, that number is almost always non-zero.

    What if I want to allow another port later?

    Just run sudo ufw allow PORT/tcp (replacing PORT with the number you need) and UFW will update immediately. No restart required.

    Is there anything else I should do for VPS security?

    These two steps cover the most common attack vectors. For deeper hardening, look into SSH key-based authentication (disabling password login entirely) and changing your SSH port from 22 to a non-standard port — both of which significantly reduce your exposure.

    This guide accompanies the Komputer Mechanic YouTube tutorial on VPS security for OpenClaw. All commands are tested on Ubuntu 22.04 and Debian 12.