Security Setup

Securing your ClawBook VPS is critical. This guide covers essential security measures you should implement immediately after provisioning.

Security Checklist

Complete these steps in order:

Step 1: Change Passwords

Root Password

passwd

Requirements:

Minimum 16 characters
Mix of uppercase, lowercase, numbers, symbols
Not based on dictionary words

Dashboard Password

Log into dashboard at https://YOUR_IP:8443
Go to Settings → Account
Click Change Password
Use a different strong password than SSH

Step 2: Set Up SSH Keys

SSH keys are more secure than passwords. Here's how to set them up:

Generate a Key Pair (on your local computer)

Linux/macOS:

ssh-keygen -t ed25519 -C "your-email@example.com"

Windows (PowerShell):

ssh-keygen -t ed25519 -C "your-email@example.com"

Press Enter to accept default location, then enter a strong passphrase.

Copy Public Key to Server

Linux/macOS:

ssh-copy-id root@YOUR_VPS_IP

Windows (manual method):

# Display your public key
cat ~/.ssh/id_ed25519.pub

# SSH into server and add the key
ssh root@YOUR_VPS_IP
mkdir -p ~/.ssh
echo "YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

ssh root@YOUR_VPS_IP

You should connect without entering the server password (only your key passphrase if set).

Step 3: Disable Password Authentication

Only do this after confirming SSH key login works!

# Edit SSH config
nano /etc/ssh/sshd_config

Find and change these lines:

PasswordAuthentication no
PermitRootLogin prohibit-password

Restart SSH:

systemctl restart sshd

danger

Keep your current SSH session open while testing. Open a new terminal and verify you can still connect before closing the original session.

Step 4: Configure Firewall

ClawBook uses UFW (Uncomplicated Firewall):

# Check current status
ufw status

# Allow necessary ports
ufw allow 22/tcp      # SSH
ufw allow 80/tcp      # HTTP (for Let's Encrypt)
ufw allow 443/tcp     # HTTPS
ufw allow 8443/tcp    # OpenClaw Dashboard

# Enable firewall
ufw enable

Restrict SSH Access (Optional)

If you have a static IP, restrict SSH to only your IP:

# Remove general SSH rule
ufw delete allow 22/tcp

# Add rule for your IP only
ufw allow from YOUR_HOME_IP to any port 22

Step 5: Enable Fail2Ban

Fail2Ban blocks IPs after failed login attempts:

# Install (usually pre-installed)
apt install fail2ban -y

# Create local config
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local

Add/modify:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

[openclaw]
enabled = true
port = 8443
filter = openclaw
logpath = /var/log/openclaw/access.log
maxretry = 5
bantime = 1800

Create OpenClaw filter:

nano /etc/fail2ban/filter.d/openclaw.conf

[Definition]
failregex = ^.*Failed login attempt from <HOST>.*$
ignoreregex =

Restart Fail2Ban:

systemctl restart fail2ban

Check banned IPs:

fail2ban-client status sshd

Step 6: Automatic Security Updates

Enable unattended upgrades for security patches:

apt install unattended-upgrades -y
dpkg-reconfigure -plow unattended-upgrades

Verify configuration:

cat /etc/apt/apt.conf.d/20auto-upgrades

Should show:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Additional Security Measures

Two-Factor Authentication (Dashboard)

Go to Settings → Security
Click Enable 2FA
Scan QR code with authenticator app (Google Authenticator, Authy)
Enter verification code
Save backup codes securely

API Key Security

Never commit API keys to version control
Rotate keys every 90 days
Use environment variables, not config files
Set up key expiration alerts

Regular Audits

Run monthly:

# Check for failed login attempts
grep "Failed password" /var/log/auth.log | tail -20

# Review open ports
ss -tulpn

# Check running services
systemctl list-units --type=service --state=running

# Review user accounts
cat /etc/passwd | grep -v nologin

Security Alerts

Configure email alerts for security events:

Go to Settings → Notifications
Enable:
- Failed login attempts (threshold: 3)
- New device logins
- Configuration changes
- Service outages

Verification

Run the security check:

clawbook-security-check

Expected output:

ClawBook Security Audit
=======================
✓ Root password changed
✓ Dashboard password changed
✓ SSH key authentication enabled
✓ Password authentication disabled
✓ Firewall enabled
✓ Fail2Ban active
✓ Automatic updates enabled
✓ 2FA enabled on dashboard

Security Score: 100/100
Status: EXCELLENT

Next Steps

Your server is now secured. Continue with:

LLM Providers - Connect your AI backend
WhatsApp Setup - Connect messaging platforms
Backup & Restore - Protect your data

Security Checklist​

Step 1: Change Passwords​

Root Password​

Dashboard Password​

Step 2: Set Up SSH Keys​

Generate a Key Pair (on your local computer)​

Copy Public Key to Server​

Test Key-Based Login​

Step 3: Disable Password Authentication​

Step 4: Configure Firewall​

Restrict SSH Access (Optional)​

Step 5: Enable Fail2Ban​

Step 6: Automatic Security Updates​

Additional Security Measures​

Two-Factor Authentication (Dashboard)​

API Key Security​

Regular Audits​

Security Alerts​

Verification​

Next Steps​