This isn't a hypothetical risk. A security researcher has compiled all publicly exposed OpenClaw instances into a public index at https://openclaw.allegro.earth. Anyone can open it and see your instance. If you've deployed OpenClaw without configuring access authentication, your service is likely already listed there.
What's actually at risk
A service exposed on the public internet with no access protection means its interfaces, console, and API endpoints are open to anyone. There are three concrete consequences.
Your configuration, conversation history, task results, logs, and user tokens can be read by any visitorโno exploits required, just a direct request.
Attackers may use your instance to run junk tasks or route malicious requests, draining your VPS resources and potentially triggering throttling or account suspension from your cloud provider. The server you're paying for ends up doing someone else's work.
An exposed service can also be used as a launchpad to attack other targets, putting other services running on the same VPS at risk.
Why your instance gets scanned
The internet is full of automated scanners that continuously probe every reachable port and path. OpenClaw's port and path structure is publicly known, so any unauthenticated instance can be identified and logged without any effort. This isn't targeted at you specificallyโit happens automatically across the entire internet.
How to fix it
Whether you're on Hostinger, Vultr, DigitalOcean, or another VPS, you should work through the following steps now.
Step 1: Set up an Nginx reverse proxy with Basic Auth
Install the required tools:
sudo apt install nginx apache2-utils -yCreate an authentication file:
sudo htpasswd -c /etc/nginx/.htpasswd your_usernameConfigure Nginx:
server {
listen 80;
server_name your_domain_or_IP;
location / {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}Restart Nginx:
sudo systemctl restart nginxStep 2: Enable HTTPS
Plain HTTP transmits your credentials in the clear. Use Let's Encrypt to fix that:
sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d your_domainThe certificate is configured automatically and renews itself every 90 days.
Step 3: Block unnecessary ports
Remove direct public access to OpenClaw's port and route all traffic through the Nginx proxy instead:
sudo ufw deny 8080
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow ssh
sudo ufw enableStep 4: Install Fail2ban
This prevents brute-force password attacks:
sudo apt install fail2ban -y
sudo systemctl enable fail2ban && sudo systemctl start fail2banCreate a rules file:
sudo nano /etc/fail2ban/jail.localAdd the following:
[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 5
bantime = 3600Restart Fail2ban:
sudo systemctl restart fail2banStep 5: Use an SSH tunnel if you're the only user
If OpenClaw is just for personal use, the cleanest solution is to never expose it to the public internet at all. Access it through an SSH tunnel instead:
ssh -L 8080:localhost:8080 username@your_server_IPThen open http://localhost:8080 in your local browser. Port 8080 on the server doesn't need to be publicly accessible at all.
Check whether you're already indexed
Go to https://openclaw.allegro.earth and search for your server's IP address. If it appears, your instance has been indexed. Follow the steps above to harden your setupโsubsequent scans will no longer be able to identify your service.
A final note
Adding authentication, enabling HTTPS, and closing unnecessary ports won't take long. The cost of skipping it, however, can be significant. Security hardening isn't something you do after something goes wrongโit's something you finish before it does.