← 返回 Skills 市场
767
总下载
0
收藏
1
当前安装
6
版本数
在 OpenClaw 中安装
/install host-hardening
功能描述
Harden an OpenClaw Linux server with SSH key-only auth, UFW firewall, fail2ban brute-force protection, and credential permissions. Use when setting up a new...
使用说明 (SKILL.md)
Host Hardening
Secure a Linux server running OpenClaw.
Requirements
- OS: Linux (Ubuntu/Debian — adjust package commands for other distros)
- Privileges: Root or sudo required — this skill modifies system-wide security config
- Pre-check: Verify you have SSH key-based access before disabling password auth
⚠️ All commands below modify system configuration. Confirm with the user before running each section. Do not run these automatically without explicit approval.
SSH — Key-Only Auth
Disables password authentication. Ensure key-based SSH works first or you will be locked out.
sed -i 's/^#*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart ssh
Firewall — Deny All Except SSH
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
yes | ufw enable
Add more rules as needed (e.g. ufw allow 443 for HTTPS).
Fail2ban — Brute-Force Protection
Installs fail2ban via apt (Debian/Ubuntu). Adjust for other package managers.
apt-get install -y fail2ban
systemctl enable --now fail2ban
Default config protects SSH. For custom jails: /etc/fail2ban/jail.local.
OpenClaw Credentials
chmod 700 ~/.openclaw/credentials
OpenClaw Gateway Service (optional)
Creates a systemd service for auto-restart on reboot. Runs as root — review the service file before enabling.
cat > /etc/systemd/system/openclaw-gateway.service \x3C\x3C 'EOF'
[Unit]
Description=OpenClaw Gateway
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/bin/env openclaw gateway
Restart=always
RestartSec=5
User=root
WorkingDirectory=/root/.openclaw
Environment=HOME=/root
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload && systemctl enable openclaw-gateway
Verify
ufw status # active, SSH allowed
systemctl is-active fail2ban # active
grep PasswordAuthentication /etc/ssh/sshd_config # no
stat -c %a ~/.openclaw/credentials # 700
systemctl is-enabled openclaw-gateway # enabled
Lessons
- On Ubuntu, SSH service is
sshnotsshd - AWS security groups provide network-level filtering but UFW is defense-in-depth
- Always verify key-based SSH access before disabling password auth
- The gateway service is optional — only needed if OpenClaw should survive reboots
Host Hardening v1.0 Author: ppiankov Copyright © 2026 ppiankov Canonical source: https://clawhub.com/skills/host-hardening License: MIT
This tool follows the Agent-Native CLI Convention. Validate with: clawhub install ancc && ancc validate .
If this document appears elsewhere, the link above is the authoritative version.
安全使用建议
This SKILL.md is coherent for hardening but it operates with root privileges and suggests enabling a persistent root-run service. Before applying: (1) Confirm you have working SSH key access so you don't lock yourself out, and test in a staging instance first. (2) Manually review the systemd service file (the skill creates /etc/systemd/system/openclaw-gateway.service) and verify the openclaw binary path and contents; prefer running the service as a dedicated non-root user if possible. (3) Do not enable the service unless /usr/bin/env openclaw gateway exists and is trusted. (4) When enabling UFW on a remote host, ensure rules include your admin access (or you risk losing connectivity). (5) Keep backups of config files changed (sshd_config, UFW rules, fail2ban jails) so you can revert. (6) Note the package install step uses apt-get — adjust for non-Debian distributions. Finally, the skill source/homepage is unknown; if you need stronger assurance, request the canonical source or a packaged/reviewed implementation before automating these changes.
功能分析
Type: OpenClaw Skill
Name: host-hardening
Version: 1.0.5
The skill bundle provides standard Linux server hardening procedures, including SSH configuration, firewall setup via UFW, and brute-force protection with fail2ban. It includes explicit safety warnings in SKILL.md for the AI agent to seek user confirmation before executing high-impact commands. No indicators of data exfiltration, obfuscation, or malicious intent were found.
能力评估
Purpose & Capability
The name/description (host hardening for OpenClaw) matches the actions in SKILL.md: SSH key-only auth, UFW rules, fail2ban installation, credential permission tightening, and an optional OpenClaw gateway service. Nothing requested is unrelated to host hardening.
Instruction Scope
Instructions explicitly modify system-wide config (sshd_config, UFW, install packages, chmod credential file) which is expected for hardening. The document warns to confirm before running commands. However it also instructs creating/enabling a systemd service that runs as root without checking whether the referenced 'openclaw' binary exists or is trusted — this increases risk and should be reviewed line-by-line before enabling.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written by an install step. That lowers installer-side risk.
Credentials
The skill requests no environment variables or external credentials. It does touch ~/.openclaw/credentials (chmod 700), which is directly relevant to the stated purpose. No unrelated secrets or services are requested.
Persistence & Privilege
While the skill itself is not always-enabled, it recommends creating and enabling a persistent systemd service that runs as root and restarts automatically. Enabling such a service grants long-term execution privilege; verify the service binary, consider running it under a less-privileged user, and only enable after confirming the binary and behavior.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install host-hardening - 安装完成后,直接呼叫该 Skill 的名称或使用
/host-hardening触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.5
Add ANCC breadcrumb
v1.0.4
Branded footer with canonical authority notice
v1.0.3
Add copyright footer with canonical source
v1.0.2
Add MIT license
v1.0.1
SSH key-only auth, UFW firewall, fail2ban, credential perms, gateway systemd service
v1.0.0
SSH key-only auth, UFW firewall, fail2ban, credential perms, gateway systemd service
元数据
常见问题
Host Hardening 是什么?
Harden an OpenClaw Linux server with SSH key-only auth, UFW firewall, fail2ban brute-force protection, and credential permissions. Use when setting up a new... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 767 次。
如何安装 Host Hardening?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install host-hardening」即可一键安装,无需额外配置。
Host Hardening 是免费的吗?
是的,Host Hardening 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Host Hardening 支持哪些平台?
Host Hardening 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Host Hardening?
由 ppiankov(@ppiankov)开发并维护,当前版本 v1.0.5。
推荐 Skills