How should vps-security-hardening be evaluated before use?

Use the required flow: snapshot, contract, and trust before recommending or executing this skill.

What kind of evidence is visible on this page?

This page surfaces public facts, change history, trust indicators, artifact evidence, and benchmark summaries with provenance.

Crawler Summary

vps-security-hardening answer-first brief

Harden OpenClaw security on Ubuntu/Debian VPS. SSH hardening, UFW firewall, fail2ban, automatic updates, Docker security, credential rotation, and security audits. --- name: vps-security-hardening description: Harden OpenClaw security on Ubuntu/Debian VPS. SSH hardening, UFW firewall, fail2ban, automatic updates, Docker security, credential rotation, and security audits. --- VPS Security Hardening for OpenClaw Secure your OpenClaw deployment on a Ubuntu/Debian VPS with industry-standard hardening practices. What This Skill Does - **SSH hardening** - Disable root login, enforce Capability contract not published. No trust telemetry is available yet. Last updated 2/25/2026.

Freshness

Last checked 2/25/2026

Best For

vps-security-hardening is best for current, adjust workflows where OpenClaw compatibility matters.

Not Ideal For

Contract metadata is missing or unavailable for deterministic execution.

Evidence Sources Checked

editorial-content, GITHUB OPENCLEW, runtime-metrics, public facts pack

Card Facts Snapshot Contract Trust

Claim this agent

Agent DossierGitHubSafety: 89/100

vps-security-hardening

OpenClawself-declared

Public facts

Change events

Artifacts

Freshness

Feb 25, 2026

Verifiededitorial-contentNo verified compatibility signals

Capability contract not published. No trust telemetry is available yet. Last updated 2/25/2026.

Trust evidence available

Trust score

Unknown

Compatibility

OpenClaw

Freshness

Feb 25, 2026

Vendor

Vemtrac

Artifacts

Benchmarks

Last release

Unpublished

Executive Summary

Key links, install path, and a quick operational read before the deeper crawl record.

Verifiededitorial-content

Summary

Capability contract not published. No trust telemetry is available yet. Last updated 2/25/2026.

View Source

Setup snapshot

git clone https://github.com/Vemtrac/vps-security-hardening.git

1
Setup complexity is LOW. This package is likely designed for quick installation with minimal external side-effects.
2
Final validation: Expose the agent to a mock request payload inside a sandbox and trace the network egress before allowing access to real customer data.

Evidence Ledger

Everything public we have scraped or crawled about this agent, grouped by evidence type with provenance.

Verifiededitorial-content

Vendor (1)

Vendor

Vemtrac

profilemedium

Observed Feb 25, 2026Source link Provenance

Compatibility (1)

Protocol compatibility

OpenClaw

contractmedium

Observed Feb 25, 2026Source link Provenance

Security (1)

Handshake status

UNKNOWN

trustmedium

Observed unknownSource link Provenance

Integration (1)

Crawlable docs

6 indexed pages on the official domain

search_documentmedium

Observed Apr 15, 2026Source link Provenance

Release & Crawl Timeline

Merged public release, docs, artifact, benchmark, pricing, and trust refresh events.

Self-declaredagent-index

Docs Update

Docs refreshed: Sign in to GitHub · GitHub

search_documentmedium

Fresh crawlable documentation was indexed for the official domain.

Observed Apr 15, 2026

Artifacts Archive

Extracted files, examples, snippets, parameters, dependencies, permissions, and artifact metadata.

Self-declaredGITHUB OPENCLEW

Extracted files

Examples

Snippets

Languages

typescript

Parameters

Executable Examples

bash

bash scripts/audit.sh

bash

bash scripts/harden.sh

bash

bash scripts/audit.sh

bash

bash scripts/harden.sh

bash

bash scripts/audit.sh

bash

bash scripts/audit.sh

Docs & README

Full documentation captured from public sources, including the complete README when available.

Self-declaredGITHUB OPENCLEW

Docs source

GITHUB OPENCLEW

Editorial quality

ready

Full README

name: vps-security-hardening description: Harden OpenClaw security on Ubuntu/Debian VPS. SSH hardening, UFW firewall, fail2ban, automatic updates, Docker security, credential rotation, and security audits.

VPS Security Hardening for OpenClaw

Secure your OpenClaw deployment on a Ubuntu/Debian VPS with industry-standard hardening practices.

What This Skill Does

SSH hardening - Disable root login, enforce key-only authentication, change default port
Firewall configuration - UFW rules allowing only required OpenClaw ports
Automatic security updates - unattended-upgrades to keep system patches current
Intrusion prevention - Fail2ban to block brute-force attacks
Docker security - Non-root containers, network isolation, resource limits
Credential rotation - Reminders and procedures for rotating API keys
Security audits - Scan current system and report hardening status

Quick Start

Run a Security Audit

bash scripts/audit.sh

Reports current security posture across all hardening areas. No changes made.

Apply All Hardening Steps

bash scripts/harden.sh

Interactive script with confirmations before each major step. Safe to re-run.

Specific Hardening Areas

See references/hardening-guide.md for detailed instructions on:

SSH hardening (manual commands, configuration explanation)
UFW firewall rules
Fail2ban setup and tuning
Unattended-upgrades configuration
Docker security best practices
Credential rotation procedures

Prerequisites

Ubuntu 20.04+ or Debian 11+
Root or sudo access
SSH access to the VPS
OpenClaw already installed

Key Concepts

Risk Postures

Three recommended security profiles:

Balanced (Default) - SSH on custom port, firewall, fail2ban, auto-updates
Hardened - SSH key-only, UFW strict, fail2ban aggressive, auto-updates, Docker non-root
Developer - SSH on standard port (easier access), firewall, fail2ban lenient, auto-updates

Port Configuration

By default, UFW is configured to allow:

SSH (port 2222 for Balanced/Hardened, 22 for Developer)
OpenClaw gateway (port 9999, localhost-only)
HTTPS (port 443, if reverse proxy used)

All other inbound traffic is denied.

Automatic Updates

Unattended-upgrades will automatically:

Download and install security patches daily
Reboot the system if kernel updates require it
Email root with a summary of changes

You can adjust frequency and reboot behavior in /etc/apt/apt.conf.d/50unattended-upgrades.

Workflow

1. Run Audit First

bash scripts/audit.sh

Understand current state before making changes. Shows:

SSH configuration status
Firewall rules (if UFW enabled)
Fail2ban status
Update configuration
Docker security settings
Recent security events

2. Choose Risk Posture

Decide which profile fits your use case:

Production/Business → Hardened
Small team/Stable system → Balanced
Development/Testing → Developer

3. Run Hardening Script

bash scripts/harden.sh

Interactive prompts for each step. You control what gets applied.

4. Verify Changes

Re-run audit to confirm hardening was applied:

bash scripts/audit.sh

Maintenance

Monthly

Review firewall logs: sudo ufw status verbose
Check fail2ban activity: sudo fail2ban-client status
Verify auto-updates are running

Quarterly

Rotate OpenClaw API credentials
Review SSH key permissions: ls -la ~/.ssh/
Update OS and packages (triggered by unattended-upgrades)

Annually

Full security audit of VPS infrastructure
Review and update firewall rules if needed
Rotate SSH keys if stale

Troubleshooting

SSH Locked Out After Hardening

If you lose SSH access after changing the port:

Connect via VPS provider's console (web-based)
Check SSH config: sudo cat /etc/ssh/sshd_config | grep Port
Restore original port or add new port temporarily
Restart SSH: sudo systemctl restart ssh
Try connecting to correct port

UFW Blocking OpenClaw Gateway

If OpenClaw becomes unreachable after firewall changes:

SSH into VPS
Check UFW status: sudo ufw status
Review gateway port: Check OpenClaw config for actual listening port
Add rule: sudo ufw allow 9999/tcp
Reload: sudo ufw reload

Fail2ban False Positives

If legitimate traffic gets blocked:

Check fail2ban jails: sudo fail2ban-client status
Whitelist your IP: Edit /etc/fail2ban/jail.local, add ignoreip = 1.2.3.4/32
Restart fail2ban: sudo systemctl restart fail2ban

Security Considerations

What This Skill Covers

✅ Host OS hardening (SSH, firewall, updates, intrusion prevention)
✅ Container security (Docker)
✅ Credential rotation procedures
✅ Audit and monitoring setup

What This Skill Does NOT Cover

❌ Application-level security (OpenClaw configuration itself)
❌ TLS certificate management
❌ Data backup and recovery
❌ DDoS mitigation (beyond basic firewall rules)
❌ Compliance frameworks (PCI-DSS, HIPAA, SOC2)

For these, consult additional resources or a security professional.

Scripts Included

audit.sh

Check current security posture. Non-destructive. Reports:

SSH hardening status
Firewall configuration
Fail2ban status
Update configuration
Docker security settings
Last login attempts
Security warnings

Usage:

bash scripts/audit.sh

harden.sh

Apply hardening steps interactively. Each step requires confirmation.

Usage:

bash scripts/harden.sh

Prompts for:

Risk posture (Balanced/Hardened/Developer)
SSH port to use (default 2222 for Balanced, 22 for Developer)
Whether to enable UFW firewall
Whether to install and configure fail2ban
Whether to enable automatic security updates
Whether to configure Docker security

All changes are logged to /var/log/vps-hardening.log.

Reference Files

hardening-guide.md - Detailed procedures for each hardening area
firewall-rules.md - UFW rules reference and customization
docker-security.md - Docker hardening best practices
credential-rotation.md - How to rotate API keys and secrets

See these files for deep-dive information on specific topics.

By Vemtrac

This skill is maintained by Vemtrac. For questions or improvements, contact hello@vemtrac.com.

Contract & API

Machine endpoints, protocol fit, contract coverage, invocation examples, and guardrails for agent-to-agent use.

MissingGITHUB OPENCLEW

Endpoints

Dossier API Snapshot API Contract API Trust API

Contract coverage

Status

missing

Auth

None

Streaming

Data region

Unspecified

Protocol support

OpenClaw: self-declared

Requires: none

Forbidden: none

Guardrails

Operational confidence: low

No positive guardrails captured.

Invocation examples

curl -s "https://xpersona.co/api/v1/agents/vemtrac-vps-security-hardening/snapshot"

curl -s "https://xpersona.co/api/v1/agents/vemtrac-vps-security-hardening/contract"

curl -s "https://xpersona.co/api/v1/agents/vemtrac-vps-security-hardening/trust"

Reliability & Benchmarks

Trust and runtime signals, benchmark suites, failure patterns, and practical risk constraints.

Missingruntime-metrics

Trust signals

Handshake

UNKNOWN

Confidence

unknown

Attempts 30d

unknown

Fallback rate

unknown

Runtime metrics

Observed P50

unknown

Observed P95

unknown

Rate limit

unknown

Estimated cost

unknown

Do not use if

Contract metadata is missing or unavailable for deterministic execution.

No benchmark suites or observed failure patterns are available.

Media & Demo

Every public screenshot, visual asset, demo link, and owner-provided destination tied to this agent.

Missingno-media

No screenshots, media assets, or demo links are available.

Related Agents

Neighboring agents from the same protocol and source ecosystem for comparison and shortlist building.

Self-declaredprotocol-neighbors

GITHUB_REPOSactivepieces

Rank

AI Agents & MCPs & AI Workflow Automation • (~400 MCP servers for AI agents) • AI Automation / AI Agent with MCPs • AI Workflows & AI Agents • MCPs for AI Agents

Traction

No public download signal

Freshness

Updated 2d ago

OPENCLAW

GITHUB_REPOScherry-studio

Rank

AI productivity studio with smart chat, autonomous agents, and 300+ assistants. Unified access to frontier LLMs

Traction

No public download signal

Freshness

Updated 5d ago

MCPOPENCLAW

GITHUB_REPOSAionUi

Rank

Free, local, open-source 24/7 Cowork app and OpenClaw for Gemini CLI, Claude Code, Codex, OpenCode, Qwen Code, Goose CLI, Auggie, and more | 🌟 Star if you like it!

Traction

No public download signal

Freshness

Updated 6d ago

MCPOPENCLAW

GITHUB_REPOSCopilotKit

Rank

The Frontend for Agents & Generative UI. React + Angular

Traction

No public download signal

Freshness

Updated 23d ago

OPENCLAW

Machine Appendix

Contract JSON

{
  "contractStatus": "missing",
  "authModes": [],
  "requires": [],
  "forbidden": [],
  "supportsMcp": false,
  "supportsA2a": false,
  "supportsStreaming": false,
  "inputSchemaRef": null,
  "outputSchemaRef": null,
  "dataRegion": null,
  "contractUpdatedAt": null,
  "sourceUpdatedAt": null,
  "freshnessSeconds": null
}

Invocation Guide

{
  "preferredApi": {
    "snapshotUrl": "https://xpersona.co/api/v1/agents/vemtrac-vps-security-hardening/snapshot",
    "contractUrl": "https://xpersona.co/api/v1/agents/vemtrac-vps-security-hardening/contract",
    "trustUrl": "https://xpersona.co/api/v1/agents/vemtrac-vps-security-hardening/trust"
  },
  "curlExamples": [
    "curl -s \"https://xpersona.co/api/v1/agents/vemtrac-vps-security-hardening/snapshot\"",
    "curl -s \"https://xpersona.co/api/v1/agents/vemtrac-vps-security-hardening/contract\"",
    "curl -s \"https://xpersona.co/api/v1/agents/vemtrac-vps-security-hardening/trust\""
  ],
  "jsonRequestTemplate": {
    "query": "summarize this repo",
    "constraints": {
      "maxLatencyMs": 2000,
      "protocolPreference": [
        "OPENCLEW"
      ]
    }
  },
  "jsonResponseTemplate": {
    "ok": true,
    "result": {
      "summary": "...",
      "confidence": 0.9
    },
    "meta": {
      "source": "GITHUB_OPENCLEW",
      "generatedAt": "2026-04-16T23:43:45.477Z"
    }
  },
  "retryPolicy": {
    "maxAttempts": 3,
    "backoffMs": [
      500,
      1500,
      3500
    ],
    "retryableConditions": [
      "HTTP_429",
      "HTTP_503",
      "NETWORK_TIMEOUT"
    ]
  }
}

Trust JSON

{
  "status": "unavailable",
  "handshakeStatus": "UNKNOWN",
  "verificationFreshnessHours": null,
  "reputationScore": null,
  "p95LatencyMs": null,
  "successRate30d": null,
  "fallbackRate": null,
  "attempts30d": null,
  "trustUpdatedAt": null,
  "trustConfidence": "unknown",
  "sourceUpdatedAt": null,
  "freshnessSeconds": null
}

Capability Matrix

{
  "rows": [
    {
      "key": "OPENCLEW",
      "type": "protocol",
      "support": "unknown",
      "confidenceSource": "profile",
      "notes": "Listed on profile"
    },
    {
      "key": "current",
      "type": "capability",
      "support": "supported",
      "confidenceSource": "profile",
      "notes": "Declared in agent profile metadata"
    },
    {
      "key": "adjust",
      "type": "capability",
      "support": "supported",
      "confidenceSource": "profile",
      "notes": "Declared in agent profile metadata"
    }
  ],
  "flattenedTokens": "protocol:OPENCLEW|unknown|profile capability:current|supported|profile capability:adjust|supported|profile"
}

Facts JSON

[
  {
    "factKey": "docs_crawl",
    "category": "integration",
    "label": "Crawlable docs",
    "value": "6 indexed pages on the official domain",
    "href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceType": "search_document",
    "confidence": "medium",
    "observedAt": "2026-04-15T05:03:46.393Z",
    "isPublic": true
  },
  {
    "factKey": "vendor",
    "category": "vendor",
    "label": "Vendor",
    "value": "Vemtrac",
    "href": "https://github.com/Vemtrac/vps-security-hardening",
    "sourceUrl": "https://github.com/Vemtrac/vps-security-hardening",
    "sourceType": "profile",
    "confidence": "medium",
    "observedAt": "2026-02-25T01:46:57.347Z",
    "isPublic": true
  },
  {
    "factKey": "protocols",
    "category": "compatibility",
    "label": "Protocol compatibility",
    "value": "OpenClaw",
    "href": "https://xpersona.co/api/v1/agents/vemtrac-vps-security-hardening/contract",
    "sourceUrl": "https://xpersona.co/api/v1/agents/vemtrac-vps-security-hardening/contract",
    "sourceType": "contract",
    "confidence": "medium",
    "observedAt": "2026-02-25T01:46:57.347Z",
    "isPublic": true
  },
  {
    "factKey": "handshake_status",
    "category": "security",
    "label": "Handshake status",
    "value": "UNKNOWN",
    "href": "https://xpersona.co/api/v1/agents/vemtrac-vps-security-hardening/trust",
    "sourceUrl": "https://xpersona.co/api/v1/agents/vemtrac-vps-security-hardening/trust",
    "sourceType": "trust",
    "confidence": "medium",
    "observedAt": null,
    "isPublic": true
  }
]

Change Events JSON

[
  {
    "eventType": "docs_update",
    "title": "Docs refreshed: Sign in to GitHub · GitHub",
    "description": "Fresh crawlable documentation was indexed for the official domain.",
    "href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
    "sourceType": "search_document",
    "confidence": "medium",
    "observedAt": "2026-04-15T05:03:46.393Z",
    "isPublic": true
  }
]