← 返回 Skills 市场
496
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install server-host-hardening
功能描述
Harden an OpenClaw Linux server with SSH key-only auth, UFW firewall, fail2ban brute-force protection, and credential permissions. Use when setting up a new...
安全使用建议
This is an instruction-only hardening recipe that will make system-wide, privileged changes if you run it. Before running anything: 1) Confirm the target is Debian/Ubuntu with systemd (the guide uses apt-get and systemctl) — do not run on unsupported OSes. 2) Backup /etc/ssh/sshd_config (and other configs) before editing. 3) Verify you can log in with SSH keys from another session before disabling password auth. 4) Be careful enabling UFW remotely — add necessary allow rules (SSH and any service ports) first to avoid locking yourself out. 5) Prefer chmod 600 for credential files rather than 700; ensure you understand which user owns ~/.openclaw (root vs your non-root user). 6) Review the systemd unit: running the gateway as root and Restart=always gives persistent privileged execution — consider running as a dedicated, non-root user and confirm the openclaw binary path exists. 7) Test these steps in a staging VM first. If you want, I can produce a safer, annotated version of these commands (with backups, checks, non-root service example, and recommended permission fixes).
功能分析
Type: OpenClaw Skill
Name: server-host-hardening
Version: 1.0.0
The skill performs legitimate host hardening steps like configuring SSH, UFW, and Fail2ban. However, it configures the `openclaw-gateway.service` to run as `User=root` in `SKILL.md`. While this might be intended for OpenClaw's operation, running a long-lived service with root privileges significantly increases the attack surface and potential impact if the gateway process itself is ever compromised, making it a high-risk configuration.
能力评估
Purpose & Capability
The name/description and the commands (SSH hardening, UFW, fail2ban, credential perms) are generally aligned. However the instructions assume Debian/Ubuntu (apt-get) and systemd without declaring that requirement; the skill metadata gives no OS restriction. The inclusion of an OpenClaw gateway systemd unit is consistent with the 'OpenClaw' context but expands scope from 'hardening' to 'service-installation'.
Instruction Scope
Commands perform system-wide, privileged operations: edit /etc/ssh/sshd_config, enable UFW, install packages, and create/enable a root systemd service. These are within 'hardening' but the instructions omit safety checks (no backup of sshd_config, no verification that the openclaw binary exists, no explicit advice to allow additional ports before enabling UFW). The credential permission change uses chmod 700 on a credentials file (700 gives execute permission and is unusual for secret files; 600 is normally appropriate). Creating a root-run, always-restarting openclaw-gateway service grants persistent privileged behavior that should be explicitly justified and reviewed.
Install Mechanism
This is an instruction-only skill with no installers or downloads. Nothing is written by the skill package itself; all changes are via system commands the user/agent would run. That minimizes supply-chain risk from the skill bundle itself.
Credentials
The skill declares no environment variables or credentials, which is consistent with being instruction-only. It does reference a local credential path (~/.openclaw/credentials) and creates a service using /root/.openclaw — that is reasonable for securing local credentials but the instructions do not clarify which user should run them (root vs non-root) and assume root-owned paths exist. The permission recommendation (700) is not the usual least-privilege choice for secret files.
Persistence & Privilege
The SKILL.md instructs creating and enabling a systemd service that runs as root and restarts always. That makes a persistent, privileged agent on the host; while enabling a gateway may be legitimate, it materially increases the long-term impact of following these instructions. The skill metadata does not require elevated privileges or warn that the commands require root.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install server-host-hardening - 安装完成后,直接呼叫该 Skill 的名称或使用
/server-host-hardening触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
SSH key-only auth, UFW firewall, fail2ban, credential perms, gateway systemd service
元数据
常见问题
Host Hardening 是什么?
Harden an OpenClaw Linux server with SSH key-only auth, UFW firewall, fail2ban brute-force protection, and credential permissions. Use when setting up a new... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 496 次。
如何安装 Host Hardening?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install server-host-hardening」即可一键安装,无需额外配置。
Host Hardening 是免费的吗?
是的,Host Hardening 完全免费(开源免费),可自由下载、安装和使用。
Host Hardening 支持哪些平台?
Host Hardening 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Host Hardening?
由 ppiankov(@ppiankov)开发并维护,当前版本 v1.0.0。
推荐 Skills