How I Secured My OpenClaw Server (And Why You Should Too)
A step-by-step guide to locking down your OpenClaw AI assistant — firewall the gateway, rotate tokens, and patch the critical CVE-2026-25253 vulnerability.
What is OpenClaw?
OpenClaw is an open-source AI assistant that runs on your own server. It connects to your messaging apps (Telegram, WhatsApp, Slack, etc.) and uses AI models like Claude to handle tasks on your behalf — reading emails, managing files, answering messages, and even building websites.
Think of it like having a personal AI employee that lives on a computer you control.
The Problem: Your AI Assistant is Wide Open
When you first set up OpenClaw on a cloud server (like Hetzner, DigitalOcean, or AWS), it typically runs with default settings. This means:
- The gateway port (18789) is open to the entire internet — anyone who finds your server’s IP address can try to connect to your OpenClaw instance
- Your config file contains plaintext secrets — API keys, bot tokens, and authentication tokens sit in a readable file on the server
- A critical vulnerability (CVE-2026-25253) allowed attackers to steal your gateway token and execute commands on your server just by getting you to visit a malicious webpage
Over 135,000 OpenClaw instances were found exposed on the internet, with 15,200+ vulnerable to remote code execution. If you’re running OpenClaw, there’s a good chance yours is one of them.
The Architecture: How OpenClaw Works
Here’s a simple picture of how everything fits together:
┌─────────────────────────────────────────────────────┐
│ YOUR CLOUD SERVER │
│ (e.g. Hetzner) │
│ │
│ ┌──────────────────────────────────────────────┐ │
│ │ OpenClaw Gateway │ │
│ │ (Port 18789) │ │
│ │ │ │
│ │ ┌─────────┐ ┌──────────┐ ┌───────────┐ │ │
│ │ │ Telegram │ │ WhatsApp │ │ Webhook │ │ │
│ │ │ Channel │ │ Channel │ │ Proxy │ │ │
│ │ └─────────┘ └──────────┘ └───────────┘ │ │
│ │ │ │
│ │ ┌─────────────────────────────────────┐ │ │
│ │ │ AI Agent │ │ │
│ │ │ (Talks to Claude/OpenAI via API) │ │ │
│ │ └─────────────────────────────────────┘ │ │
│ └──────────────────────────────────────────────┘ │
│ │
│ Config: ~/.openclaw/config.json5 │
│ Data: ~/.openclaw/openclaw.json │
│ Memory: ~/.openclaw/memory/ │
│ │
└──────────────────────────────────────────────────────┘
│
│ Port 18789 (Gateway - WebSocket)
│ Port 22 (SSH - for you to manage the server)
│ Port 80/443 (HTTP/HTTPS - if you host websites)
│
┌────▼─────┐
│ Internet │ ← Anyone can reach open ports
└──────────┘The risk: If port 18789 is open to the internet, anyone can try to connect to your gateway. With the right token (or the CVE-2026-25253 exploit), they get full control — they can read your messages, execute commands, access your API keys, and more.
The fix: Put a firewall in front of your server that only allows the ports you actually need to be public.
┌──────────────────────┐
│ Hetzner Firewall │
│ │
│ ✅ Port 22 (SSH) │
│ ✅ Port 80 (HTTP) │
│ ✅ Port 443 (HTTPS) │
│ ❌ Port 18789 │ ← BLOCKED
│ ❌ Everything else │ ← BLOCKED
└──────────┬───────────┘
│
┌──────────▼───────────┐
│ Your Server │
└──────────────────────┘Step-by-Step Guide
Step 1: Check Your OpenClaw Version
SSH into your server:
ssh root@YOUR_SERVER_IPFind where OpenClaw is installed and check the version. It might be a systemd service:
systemctl list-units --type=service | grep -i clawIf it shows openclaw.service, check how it runs:
systemctl cat openclaw.serviceLook for the WorkingDirectory — that’s where OpenClaw lives. Go there and check the version:
cat /root/openclaw/package.json | grep versionYou need version 2026.1.29 or later. If you’re on an older version, update immediately:
cd /root/openclaw
pnpm update
systemctl restart openclaw.serviceStep 2: Rotate Your Gateway Token
Your gateway token is what authenticates connections to your OpenClaw instance. If it was ever exposed (through the CVE or otherwise), you need a new one.
Find your current token:
grep -i token ~/.openclaw/openclaw.jsonGenerate a new random token:
openssl rand -hex 16This gives you something like e6cbb1311015daebbf565248211bea7d. Now replace the old token in the config file:
sed -i 's/OLD_TOKEN_HERE/NEW_TOKEN_HERE/' ~/.openclaw/openclaw.jsonRestart the service:
systemctl restart openclaw.serviceVerify it’s running:
systemctl status openclaw.serviceYou should see active (running).
Step 3: Check Your Config for Exposed Secrets
Look at your config file:
cat ~/.openclaw/config.json5This file contains your API keys and bot tokens in plain text. While we can’t easily encrypt them (OpenClaw needs to read them), we need to make sure they haven’t been leaked. If your server was ever compromised, rotate all of these:
- Anthropic/OpenAI API keys — Regenerate from their respective dashboards
- Telegram bot tokens — Message @BotFather on Telegram and use
/revoke - Any other service credentials
Also check your .env file if you have one:
cat /root/openclaw/.envStep 4: Set Up the Hetzner Firewall
This is the most important step. Go to console.hetzner.cloud.
- Click Firewalls in the left sidebar
- Click Create Firewall
- Add these inbound rules:
| Name | Protocol | Port | Source |
|---|---|---|---|
| SSH | TCP | 22 | Any IPv4, Any IPv6 |
| HTTP | TCP | 80 | Any IPv4, Any IPv6 |
| HTTPS | TCP | 443 | Any IPv4, Any IPv6 |
- Do NOT add a rule for port 18789. Any port without a rule is automatically blocked.
- At the bottom of the page, select your server
- Click Create Firewall
That’s it. Your OpenClaw gateway is now invisible to the internet.
Can you lock yourself out? No. Even if you accidentally block port 22 (SSH), you can always:
- Edit or delete the firewall from the Hetzner web console
- Use the browser-based Console on your server’s page in Hetzner (this bypasses SSH entirely)
Step 5: Verify the Firewall Works
From your local machine (not the server), test that the gateway port is blocked:
nc -zv -w 5 YOUR_SERVER_IP 18789This should time out or refuse the connection. Then verify SSH still works:
ssh root@YOUR_SERVER_IPThis should connect normally.
What You’ve Achieved
Before these changes:
- Your OpenClaw gateway was accessible to anyone on the internet
- Your authentication token could have been stolen via a known exploit
- Your API keys were potentially at risk
After these changes:
- The gateway port is blocked at the network level, before traffic even reaches your server
- Your gateway token has been rotated, invalidating any previously stolen tokens
- You’re running a patched version that fixes the WebSocket hijacking vulnerability
Optional: Further Hardening
If you want to go further:
- Restrict SSH to your IP — Edit the Hetzner firewall SSH rule to only allow your specific IP address instead of “Any”
- Set up fail2ban — Automatically bans IPs that fail too many SSH login attempts:
apt install fail2ban - Use SSH keys only — Disable password authentication in
/etc/ssh/sshd_configby settingPasswordAuthentication no - Keep your system updated — The server showed “System restart required” and pending security updates. Run
apt update && apt upgraderegularly - Monitor access logs — Check
journalctl -u openclaw.serviceperiodically for unusual activity
Summary
Securing an OpenClaw instance takes about 10 minutes and doesn’t require deep technical knowledge. The three critical actions are:
- Update to a patched version (v2026.1.29+)
- Rotate your gateway token
- Firewall the gateway port from the public internet
If you’ve done these three things, you’ve eliminated the most dangerous attack vectors. Everything else is extra hardening on top of a solid foundation.
Need help building this?
We build workflows like this for teams every week. Book a free discovery call and we'll scope it together.
Chat with us →