← Back to Skills Marketplace
ppiankov

Host Hardening

by ppiankov · GitHub ↗ · v1.0.5 · MIT-0
cross-platform ✓ Security Clean
767
Downloads
0
Stars
1
Active Installs
6
Versions
Install in OpenClaw
/install host-hardening
Description
Harden an OpenClaw Linux server with SSH key-only auth, UFW firewall, fail2ban brute-force protection, and credential permissions. Use when setting up a new...
README (SKILL.md)

Host Hardening

Secure a Linux server running OpenClaw.

Requirements

  • OS: Linux (Ubuntu/Debian — adjust package commands for other distros)
  • Privileges: Root or sudo required — this skill modifies system-wide security config
  • Pre-check: Verify you have SSH key-based access before disabling password auth

⚠️ All commands below modify system configuration. Confirm with the user before running each section. Do not run these automatically without explicit approval.

SSH — Key-Only Auth

Disables password authentication. Ensure key-based SSH works first or you will be locked out.

sed -i 's/^#*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart ssh

Firewall — Deny All Except SSH

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
yes | ufw enable

Add more rules as needed (e.g. ufw allow 443 for HTTPS).

Fail2ban — Brute-Force Protection

Installs fail2ban via apt (Debian/Ubuntu). Adjust for other package managers.

apt-get install -y fail2ban
systemctl enable --now fail2ban

Default config protects SSH. For custom jails: /etc/fail2ban/jail.local.

OpenClaw Credentials

chmod 700 ~/.openclaw/credentials

OpenClaw Gateway Service (optional)

Creates a systemd service for auto-restart on reboot. Runs as root — review the service file before enabling.

cat > /etc/systemd/system/openclaw-gateway.service \x3C\x3C 'EOF'
[Unit]
Description=OpenClaw Gateway
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/bin/env openclaw gateway
Restart=always
RestartSec=5
User=root
WorkingDirectory=/root/.openclaw
Environment=HOME=/root
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload && systemctl enable openclaw-gateway

Verify

ufw status                                    # active, SSH allowed
systemctl is-active fail2ban                  # active
grep PasswordAuthentication /etc/ssh/sshd_config  # no
stat -c %a ~/.openclaw/credentials            # 700
systemctl is-enabled openclaw-gateway         # enabled

Lessons

  • On Ubuntu, SSH service is ssh not sshd
  • AWS security groups provide network-level filtering but UFW is defense-in-depth
  • Always verify key-based SSH access before disabling password auth
  • The gateway service is optional — only needed if OpenClaw should survive reboots

Host Hardening v1.0 Author: ppiankov Copyright © 2026 ppiankov Canonical source: https://clawhub.com/skills/host-hardening License: MIT

This tool follows the Agent-Native CLI Convention. Validate with: clawhub install ancc && ancc validate .

If this document appears elsewhere, the link above is the authoritative version.

Usage Guidance
This SKILL.md is coherent for hardening but it operates with root privileges and suggests enabling a persistent root-run service. Before applying: (1) Confirm you have working SSH key access so you don't lock yourself out, and test in a staging instance first. (2) Manually review the systemd service file (the skill creates /etc/systemd/system/openclaw-gateway.service) and verify the openclaw binary path and contents; prefer running the service as a dedicated non-root user if possible. (3) Do not enable the service unless /usr/bin/env openclaw gateway exists and is trusted. (4) When enabling UFW on a remote host, ensure rules include your admin access (or you risk losing connectivity). (5) Keep backups of config files changed (sshd_config, UFW rules, fail2ban jails) so you can revert. (6) Note the package install step uses apt-get — adjust for non-Debian distributions. Finally, the skill source/homepage is unknown; if you need stronger assurance, request the canonical source or a packaged/reviewed implementation before automating these changes.
Capability Analysis
Type: OpenClaw Skill Name: host-hardening Version: 1.0.5 The skill bundle provides standard Linux server hardening procedures, including SSH configuration, firewall setup via UFW, and brute-force protection with fail2ban. It includes explicit safety warnings in SKILL.md for the AI agent to seek user confirmation before executing high-impact commands. No indicators of data exfiltration, obfuscation, or malicious intent were found.
Capability Assessment
Purpose & Capability
The name/description (host hardening for OpenClaw) matches the actions in SKILL.md: SSH key-only auth, UFW rules, fail2ban installation, credential permission tightening, and an optional OpenClaw gateway service. Nothing requested is unrelated to host hardening.
Instruction Scope
Instructions explicitly modify system-wide config (sshd_config, UFW, install packages, chmod credential file) which is expected for hardening. The document warns to confirm before running commands. However it also instructs creating/enabling a systemd service that runs as root without checking whether the referenced 'openclaw' binary exists or is trusted — this increases risk and should be reviewed line-by-line before enabling.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written by an install step. That lowers installer-side risk.
Credentials
The skill requests no environment variables or external credentials. It does touch ~/.openclaw/credentials (chmod 700), which is directly relevant to the stated purpose. No unrelated secrets or services are requested.
Persistence & Privilege
While the skill itself is not always-enabled, it recommends creating and enabling a persistent systemd service that runs as root and restarts automatically. Enabling such a service grants long-term execution privilege; verify the service binary, consider running it under a less-privileged user, and only enable after confirming the binary and behavior.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install host-hardening
  3. After installation, invoke the skill by name or use /host-hardening
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.5
Add ANCC breadcrumb
v1.0.4
Branded footer with canonical authority notice
v1.0.3
Add copyright footer with canonical source
v1.0.2
Add MIT license
v1.0.1
SSH key-only auth, UFW firewall, fail2ban, credential perms, gateway systemd service
v1.0.0
SSH key-only auth, UFW firewall, fail2ban, credential perms, gateway systemd service
Metadata
Slug host-hardening
Version 1.0.5
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 6
Frequently Asked Questions

What is Host Hardening?

Harden an OpenClaw Linux server with SSH key-only auth, UFW firewall, fail2ban brute-force protection, and credential permissions. Use when setting up a new... It is an AI Agent Skill for Claude Code / OpenClaw, with 767 downloads so far.

How do I install Host Hardening?

Run "/install host-hardening" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Host Hardening free?

Yes, Host Hardening is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Host Hardening support?

Host Hardening is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Host Hardening?

It is built and maintained by ppiankov (@ppiankov); the current version is v1.0.5.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments