“I want to install OpenClaw and set up my personal AI assistant.”
It starts with a simple desire. You’ve seen the GitHub stars—100,000 and counting. You’ve seen the viral tweets about OpenClaw (formerly known as Clawdbot, formerly known as Moltbot) automating entire workflows, booking flights, and arguing with other bots on Moltbook. You want in.
Your first instinct is to buy hardware. “Oh, I was just going to buy a Mac Mini,” you say. It feels safe. It sits on your desk. You can unplug it.
Stop.
Buying a dedicated Mac Mini for a headless AI agent is the consumer trap. It is hardware bloat for software agility. “No, you need to use a fresh Linux VPS. It’s like what everybody does,” the expert whispers. But this advice comes with a hidden caveat: The moment you spin up a cloud server, you are not just an admin; you are a target.
This guide is not a “quick start.” This is a survival manual. We are going to take a raw, vulnerable Linux VPS and sculpt it into a cryptographic fortress before we even think about installing the npm packages. We are going to install OpenClaw, but we are going to do it the way high-security infrastructure engineers do it.
The Birth of the Target (VPS Provisioning)
“Let’s start by spinning up a server… just a one vCPU, 4 GB RAM, 100GB drive.”
This is the standard “AI Agent” footprint. OpenClaw is efficient, but Node.js is memory-hungry, and if you plan to run local embeddings or heavy context retention, 4GB RAM is the floor, not the ceiling.
When you click “Create Droplet” or “Deploy Instance” on DigitalOcean, Hetzner, or AWS, you are assigned a Public IP.
“Then you’ll get a public IP and root SSH access. Then immediately we’re under attack. I haven’t even logged in yet.”
This is not hyperbole. Botnets scan the entire IPv4 address space continuously. The moment your IP goes live, port 22 (SSH) lights up on scanners in Russia, China, and North Korea. They are brute-forcing root passwords before your confirmation email hits your inbox.
The Race Against Time
“Yeah, SSH scam started 12 seconds ago. Now it’s a fight against time.”
You have a window of opportunity measured in minutes. Do not install OpenClaw yet. Do not install Node.js. Your only priority is locking the door.
The First Defense (System Hygiene)
“So first we make sure we have the latest state of the internet on our VPS…”
Log in as root. Immediately. ssh root@your_ip_address
Your first command is not npm install. It is the ritual of synchronization: apt update && apt upgrade -y
“Why? Our job is to keep our core running while other packages are changing theirs.”
Linux distributions are snapshots in time. Security vulnerabilities (CVEs) are discovered daily. If you install tools on an outdated kernel, you are building a castle on a swamp. The upgrade command ensures that glibc, OpenSSL, and the kernel itself are patched against known exploits.
The Essential Arsenal
“Then we’ll install essential security and networking tools. apt curl apt wget ufw fail2ban ca-certificates gnupg.”
Why do we need these?
- curl/wget: For fetching keys and scripts verified by SSL.
- ufw (Uncomplicated Firewall): Because
iptablesis too arcane for a “viral guide” and we need to block ports fast. - fail2ban: The bouncer. It watches log files for repeated failures and bans the IPs.
- ca-certificates: To ensure we trust the correct SSL authorities.
- gnupg: For verifying PGP signatures of the software we download.
“Why weren’t these installed by default?” “Because Linux was designed to be composable… it was not designed to be secure.”
A default Linux image is designed for maximum compatibility, not maximum security. It is an open field. We are building a bunker.
Identity Management (Killing Root)
“Second, we create a non-root user with a strong password.”
Running OpenClaw as root is suicide. If the AI agent is compromised—via prompt injection or a malicious package—the attacker has god-mode access to your server.
Create a user. Let’s call him clawd_admin. adduser clawd_admin usermod -aG sudo clawd_admin
“Then we delete password access and create an SSH key instead.”
Passwords are leakable. They can be keylogged. They can be guessed. SSH keys (specifically ED25519 keys) are mathematically improbable to guess.
On your local machine (the Mac Mini you didn’t buy, or your laptop), generate the key: ssh-keygen -t ed25519 -C "openclaw_key"
Copy it to the server: ssh-copy-id -i ~/.ssh/id_ed25519.pub clawd_admin@your_vps_ip
Hardening the Tunnel
“No, we need to harden the SSH tunnel.”
Edit the SSH daemon config: /etc/ssh/sshd_config. We make three critical changes:
PermitRootLogin no(The root account is now unreachable directly).PasswordAuthentication no(Keys only. No brute-forcing passwords).PubkeyAuthentication yes.
“Restart with the new config. The log out log in with your SSH key again.” systemctl restart ssh
“You didn’t save your SSH key. I was supposed to be paying attention. We start from scratch.” Note: Always verify you can log in with the new user and key in a separate terminal window BEFORE closing your current root session. If you lock yourself out, you are wiping the server.
The Elimination Diet (Firewalling)
“Next firewall. This is an elimination diet. We block everything and then slowly reintroduce what we really need.”
In security, we operate on a “Default Deny” policy. Traffic is guilty until proven innocent.
“The tutorial won’t mention it cuz I wrote that tutorial. We block all unsolicited traffic…”
ufw default deny incoming ufw default allow outgoing
“But we leave one door open. Port 2222.” “Why 42s? Oh, it’s just an arbitrary number.”
Moving SSH from port 22 to a non-standard port like 2222 (or 54321) reduces log noise by 99%. Automated scripts scan port 22. They rarely scan high-numbered ports unless targeting you specifically.
Update your /etc/ssh/sshd_config again: Port 2222. Allow it in the firewall: ufw allow 2222/tcp. Enable the firewall: ufw enable.
“Then we autoban IPs that guess passwords.” This is where Fail2Ban comes in. Even with keys, people will try to connect. Configure a “jail” for SSH that bans an IP for 24 hours if they fail to authenticate 3 times. File: /etc/fail2ban/jail.local [sshd] enabled = true, port = 2222, bantime = 86400
The Operating System Sanity Check
“Now, congrats. Your server can reboot itself at 3:00 a.m.” Enable automatic security updates. unattended-upgrades. You do not want to manually patch openssl every week.
“Let’s do some basic OS sanity. How what kind of working environment would this be without a properly set time and date?” Time drift breaks authentication protocols (TOTP, Kerberos, SSL handshakes). timedatectl set-timezone UTC ntp synchronization must be active.
“Now let’s control entropy.” Cryptography requires randomness. Fresh VPS instances often lack “entropy” (random noise) because they have no mouse movements or keyboard inputs. Install rng-tools or haveged. This ensures your SSH key generation and SSL handshakes are cryptographically sound.
The Invisible Network (Tailscale/VPN)
“And now we get to the most interesting part. Installing a private VPN mesh. NVPN tail scale.”
This is the ultimate security layer. Why expose SSH to the public internet at all? Even on port 2222?
Install Tailscale (or Headscale if you are a purist). curl -fsSL https://tailscale.com/install.sh | sh tailscale up
“Verify if the wormhole actually opens.” Your VPS now has a private IP (e.g., 100.x.y.z) accessible only to your devices.
“Now we allow SSH only support 2022 but package to our private VPN mesh. Public SSH is now gone.” We reconfigure ufw. ufw allow in on tailscale0 to any port 2222 ufw delete allow 2222/tcp (Remove the public rule).
“All public inbound traffic is now gone except future IP56 noise.” Disable IPv6 if you aren’t using it. It is often a vector for bypass if your firewall rules only cover IPv4. Edit /etc/sysctl.conf: net.ipv6.conf.all.disable_ipv6 = 1.
The Dependency Hell (Node.js)
“So now we’re already there to install the user package… But for this first we need to install its dependency NodeJS.”
“We never trust Node version distros.” The default apt install nodejs gives you Node v12 or v14. OpenClaw needs modern bleeding-edge runtime, Node v22+.
“Install NodeJS from the official repo.” Use nvm (Node Version Manager) or the official NodeSource repository. curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - sudo apt-get install -y nodejs
“Only then we install the user package directly from GitHub. But this of course doesn’t work because we didn’t install Git.” sudo apt install git
“Now verify the repo isn’t compromised by trusting GitHub and 900 random npm dependencies.” This is the reality of modern software. We are cloning OpenClaw. git clone https://github.com/openclaw/openclaw.git
Installation & Permissions
“Meanwhile, we create a credentials directory because we don’t dump production apps into home like crazy people.”
Do not run the app from ~. Move it to /opt/openclaw or /var/www/openclaw. Create a dedicated service user if you want to be extra paranoid, but using your non-root clawd_admin is acceptable if permissions are strict.
“Don’t we fix the directories permissions? Why are they broken?” “Broken is the def facto standard.” sudo chown -R clawd_admin:clawd_admin /opt/openclaw chmod 700 /opt/openclaw/credentials
“Our start, restart and verify the user package with status. No, with doctor.” Run the diagnostic tool provided by OpenClaw. npm install npm run doctor
This command checks for the required environment variables (API keys for Anthropic/OpenAI), write permissions for the database (SQLite), and network connectivity.
Immortality (Systemd)
“We configure the systemd service so if it breaks it doesn’t crash.”
You cannot just run npm start and close the terminal. If you logout, the bot dies. You need a Daemon.
“You know, system D is a controversial idea… but we lost.” Create the unit file: /etc/systemd/system/openclaw.service.
[Unit]Description=OpenClaw AI AgentAfter=network.target[Service]Type=simpleUser=clawd_adminWorkingDirectory=/opt/openclawExecStart=/usr/bin/node dist/index.jsRestart=alwaysRestartSec=10Environment=NODE_ENV=production[Install]WantedBy=multi-user.target“Activate and reactivate the service.” sudo systemctl daemon-reload sudo systemctl enable openclaw sudo systemctl start openclaw
“Now make sure we’re logging everything to observe runtime behavior.” journalctl -u openclaw -f Watch the logs. See the bot come alive.
The End Game (Application Security)
“Disk protection backups. Backups. And then run your application security audit if it has one.” Set up a cron job to backup the SQLite database (claw.db) to an S3 bucket or another server. 0 3 * * * rsync -avz /opt/openclaw/data backup_server:/backups/
“I love it. I thought we did security already.” “No, no, you don’t do security. Security needs to live rent free in your mind at all times.”
We have secured the infrastructure. Now you must secure the agent.
- Allowed Users: Configure OpenClaw’s
config.yamlto only respond to your Telegram/Discord User ID. - Rate Limiting: Ensure your API keys have hard limits in the OpenAI/Anthropic dashboards so a loop doesn’t bankrupt you.
- Sandboxing: If OpenClaw has the ability to run shell commands (the
bashtool), ensure it runs inside a Docker container, not on the bare metal VPS we just spent an hour securing.
“And now you have the setup with no public SSH, no public web ports, and server only reachable via tail scale.” “98.1% uptime if you ignore the weekly kernel panics.”
Conclusion
This was the Ubuntu version. You could do this on Arch, but then you’d have to explain it to everyone at parties.
You have successfully installed OpenClaw (Moltbot). It is running. It is secure. It is listening. Now, please, configure the application security so it doesn’t accidentally delete your Gmail archive while trying to unsubscribe you from a newsletter.
![Image Placeholder: A terminal screen showing a successful connection via Tailscale with a green lock icon and the OpenClaw ASCII art logo.]
