← Back to Skills Marketplace
496
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install server-host-hardening
Description
Harden an OpenClaw Linux server with SSH key-only auth, UFW firewall, fail2ban brute-force protection, and credential permissions. Use when setting up a new...
Usage Guidance
This is an instruction-only hardening recipe that will make system-wide, privileged changes if you run it. Before running anything: 1) Confirm the target is Debian/Ubuntu with systemd (the guide uses apt-get and systemctl) — do not run on unsupported OSes. 2) Backup /etc/ssh/sshd_config (and other configs) before editing. 3) Verify you can log in with SSH keys from another session before disabling password auth. 4) Be careful enabling UFW remotely — add necessary allow rules (SSH and any service ports) first to avoid locking yourself out. 5) Prefer chmod 600 for credential files rather than 700; ensure you understand which user owns ~/.openclaw (root vs your non-root user). 6) Review the systemd unit: running the gateway as root and Restart=always gives persistent privileged execution — consider running as a dedicated, non-root user and confirm the openclaw binary path exists. 7) Test these steps in a staging VM first. If you want, I can produce a safer, annotated version of these commands (with backups, checks, non-root service example, and recommended permission fixes).
Capability Analysis
Type: OpenClaw Skill
Name: server-host-hardening
Version: 1.0.0
The skill performs legitimate host hardening steps like configuring SSH, UFW, and Fail2ban. However, it configures the `openclaw-gateway.service` to run as `User=root` in `SKILL.md`. While this might be intended for OpenClaw's operation, running a long-lived service with root privileges significantly increases the attack surface and potential impact if the gateway process itself is ever compromised, making it a high-risk configuration.
Capability Assessment
Purpose & Capability
The name/description and the commands (SSH hardening, UFW, fail2ban, credential perms) are generally aligned. However the instructions assume Debian/Ubuntu (apt-get) and systemd without declaring that requirement; the skill metadata gives no OS restriction. The inclusion of an OpenClaw gateway systemd unit is consistent with the 'OpenClaw' context but expands scope from 'hardening' to 'service-installation'.
Instruction Scope
Commands perform system-wide, privileged operations: edit /etc/ssh/sshd_config, enable UFW, install packages, and create/enable a root systemd service. These are within 'hardening' but the instructions omit safety checks (no backup of sshd_config, no verification that the openclaw binary exists, no explicit advice to allow additional ports before enabling UFW). The credential permission change uses chmod 700 on a credentials file (700 gives execute permission and is unusual for secret files; 600 is normally appropriate). Creating a root-run, always-restarting openclaw-gateway service grants persistent privileged behavior that should be explicitly justified and reviewed.
Install Mechanism
This is an instruction-only skill with no installers or downloads. Nothing is written by the skill package itself; all changes are via system commands the user/agent would run. That minimizes supply-chain risk from the skill bundle itself.
Credentials
The skill declares no environment variables or credentials, which is consistent with being instruction-only. It does reference a local credential path (~/.openclaw/credentials) and creates a service using /root/.openclaw — that is reasonable for securing local credentials but the instructions do not clarify which user should run them (root vs non-root) and assume root-owned paths exist. The permission recommendation (700) is not the usual least-privilege choice for secret files.
Persistence & Privilege
The SKILL.md instructs creating and enabling a systemd service that runs as root and restarts always. That makes a persistent, privileged agent on the host; while enabling a gateway may be legitimate, it materially increases the long-term impact of following these instructions. The skill metadata does not require elevated privileges or warn that the commands require root.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install server-host-hardening - After installation, invoke the skill by name or use
/server-host-hardening - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
SSH key-only auth, UFW firewall, fail2ban, credential perms, gateway systemd service
Metadata
Frequently Asked Questions
What is Host Hardening?
Harden an OpenClaw Linux server with SSH key-only auth, UFW firewall, fail2ban brute-force protection, and credential permissions. Use when setting up a new... It is an AI Agent Skill for Claude Code / OpenClaw, with 496 downloads so far.
How do I install Host Hardening?
Run "/install server-host-hardening" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Host Hardening free?
Yes, Host Hardening is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Host Hardening support?
Host Hardening is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Host Hardening?
It is built and maintained by ppiankov (@ppiankov); the current version is v1.0.0.
More Skills