This isnโt some theoretical risk โ itโs already happening. A security researcher has built a public index of every exposed OpenClaw instance at https://openclaw.allegro.earth. Anyone can visit the site and see your instance. If you deployed OpenClaw without setting up proper authentication, thereโs a good chance itโs already listed there.
Whatโs Actually at Risk
When a service is left wide open on the public internet with no protection, its interface, console, and API endpoints are accessible to anyone. The consequences are very real:
- Anyone can read your configuration, conversation history, task results, logs, and even user tokens โ no hacking required, just a simple request.
- Attackers can hijack your instance to run spam tasks or route malicious traffic, wasting your VPS resources and potentially getting your cloud account flagged or suspended.
- Your exposed service can be used as a jumping-off point to attack other targets, putting every other service on the same VPS at risk.
Why Your Instance Gets Scanned
The internet is constantly being scanned by automated bots that probe every open port and common path. Since OpenClawโs port and URL structure is publicly known, any unprotected instance can be automatically detected and added to lists like this one. Itโs not personal โ itโs just how the internet works now.
How to Fix It Properly
Whether youโre on Hostinger, Vultr, DigitalOcean, or any other VPS, you should secure your setup right away. Hereโs what you need to do:
Step 1: Set up Nginx with Basic Authentication
sudo apt install nginx apache2-utils -yCreate a username and password for access:
sudo htpasswd -c /etc/nginx/.htpasswd your_usernameThen configure Nginx:
server {
listen 80;
server_name your_domain_or_IP;
location / {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}Restart Nginx:
sudo systemctl restart nginxStep 2: Enable HTTPS (Important!)
Never send credentials over plain HTTP. Use Letโs Encrypt to add HTTPS:
sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d your_domainIt will automatically configure the certificate and set up auto-renewal.
Step 3: Block Direct Access to OpenClawโs Port
sudo ufw deny 8080
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow ssh
sudo ufw enableStep 4: Install Fail2Ban to block brute-force attempts
sudo apt install fail2ban -y
sudo systemctl enable fail2ban && sudo systemctl start fail2banCreate a custom rule:
sudo nano /etc/fail2ban/jail.localAdd this:
[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 5
bantime = 3600Then restart Fail2Ban:
sudo systemctl restart fail2banStep 5: For personal use only โ Use an SSH Tunnel (Best Option)
If youโre the only person using OpenClaw, the safest approach is not to expose it to the internet at all. Just create an SSH tunnel:
ssh -L 8080:localhost:8080 username@your_server_IPThen open http://localhost:8080 in your browser. This way, port 8080 never needs to be open to the public.
Check If Youโve Already Been Indexed
Visit https://openclaw.allegro.earth and search for your serverโs IP. If it shows up, your instance has been indexed. Follow the steps above to secure it โ future scans wonโt be able to detect it anymore.
Final Word
Setting up authentication, enabling HTTPS, and closing unnecessary ports only takes 15โ30 minutes. The potential cost of leaving it exposed can be much higher โ wasted resources, compromised data, or even account suspension. Security isnโt something you fix after a problem appears. Itโs something you take care of before it does.