Guides7 min read

VPS Security Hardening Checklist for AI Bot Servers (2025)

Complete security checklist for hardening your VPS hosting AI bots. Covers SSH hardening, Fail2Ban, UFW firewall, automatic updates, and essential security practices.

Published: 27/01/2025

Why AI Bot Servers Need Extra Security

AI bot servers are high-value targets because they typically contain:

  • Multiple API keys (Anthropic, OpenAI, Discord, etc.)
  • Conversation histories (potentially sensitive data)
  • Payment credentials (Stripe, billing integrations)
  • Access tokens to multiple platforms

A compromised bot server can lead to massive API bills, data breaches, and reputation damage. This checklist ensures your server is properly hardened.

Pre-Flight Checklist

Before starting, ensure you have:

  • [ ] SSH access to your VPS
  • [ ] Root or sudo privileges
  • [ ] A backup of important configurations
  • [ ] A secondary SSH session (in case you lock yourself out)

Step 1: System Updates

Always start with a fully updated system.

# Update package lists and upgrade all packages
sudo apt update && sudo apt upgrade -y

# Remove unnecessary packages
sudo apt autoremove -y

# Reboot if kernel was updated
sudo reboot

Enable Automatic Security Updates

# Install unattended-upgrades
sudo apt install unattended-upgrades -y

# Enable automatic updates
sudo dpkg-reconfigure -plow unattended-upgrades

Verify it's working:

cat /etc/apt/apt.conf.d/20auto-upgrades

Should show:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Step 2: Create Non-Root User

Never run bots as root. Create a dedicated user:

# Create new user
sudo adduser botadmin

# Add to sudo group
sudo usermod -aG sudo botadmin

# Test sudo access
su - botadmin
sudo whoami  # Should output: root

For the bot itself, create a service user with no login shell:

sudo useradd -r -s /bin/false botservice

Step 3: SSH Hardening

SSH is the primary attack vector for VPS servers. Harden it properly.

3.1 Generate SSH Keys (On Your Local Machine)

# Generate a strong Ed25519 key
ssh-keygen -t ed25519 -C "your-email@example.com"

# Copy to server
ssh-copy-id user@your-server-ip

3.2 Configure SSH Daemon

Edit the SSH configuration:

sudo nano /etc/ssh/sshd_config

Apply these settings:

# Change default port (choose between 1024-65535)
Port 2222

# Disable root login
PermitRootLogin no

# Disable password authentication
PasswordAuthentication no
PubkeyAuthentication yes

# Disable empty passwords
PermitEmptyPasswords no

# Limit authentication attempts
MaxAuthTries 3

# Set login grace time
LoginGraceTime 30

# Disable X11 forwarding (not needed for bots)
X11Forwarding no

# Disable TCP forwarding unless needed
AllowTcpForwarding no

3.3 Restart SSH

sudo systemctl restart sshd

Keep your current session open! Test the new configuration from a new terminal window before closing your existing session.

Test new connection:

ssh -p 2222 botadmin@your-server-ip

Step 4: Configure UFW Firewall

UFW (Uncomplicated Firewall) provides simple firewall management.

# Install UFW
sudo apt install ufw -y

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH on custom port
sudo ufw allow 2222/tcp comment 'SSH'

# Allow HTTPS (for reverse proxy)
sudo ufw allow 443/tcp comment 'HTTPS'

# Optional: Allow HTTP for Let's Encrypt verification
sudo ufw allow 80/tcp comment 'HTTP'

# Enable firewall
sudo ufw enable

# Verify rules
sudo ufw status verbose

What to Allow

| Port | Protocol | Purpose | |------|----------|---------| | 2222 (custom) | TCP | SSH access | | 443 | TCP | HTTPS/Web traffic | | 80 | TCP | HTTP (Let's Encrypt only) |

Do NOT expose:

  • OpenClaw ports directly (3000, etc.)
  • Database ports (5432, 3306)
  • Redis ports (6379)

All bot services should be behind the reverse proxy.

Step 5: Install and Configure Fail2Ban

Fail2Ban automatically bans IPs with too many failed login attempts.

# Install Fail2Ban
sudo apt install fail2ban -y

# Create local configuration
sudo nano /etc/fail2ban/jail.local

Add this configuration:

[DEFAULT]
# Ban for 1 hour by default
bantime = 1h

# Time window for counting failures
findtime = 10m

# Max retries before ban
maxretry = 5

# Email notifications (optional)
# destemail = your-email@example.com
# action = %(action_mwl)s

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 24h

[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 1h

Start Fail2Ban:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check status:

# View banned IPs for SSH
sudo fail2ban-client status sshd

# Unban an IP if needed
sudo fail2ban-client set sshd unbanip 1.2.3.4

Step 6: Secure File Permissions

Environment Files

# Create .env with restricted permissions
touch .env
chmod 600 .env
chown botservice:botservice .env

Bot Directory

# Set proper ownership
sudo chown -R botservice:botservice /opt/openclaw

# Restrict permissions
sudo chmod -R 750 /opt/openclaw

Sensitive Files

# Find files with API keys
find /opt -name "*.env" -exec chmod 600 {} \;
find /opt -name "config.json" -exec chmod 600 {} \;

Step 7: Additional Hardening

Disable Unused Services

# List running services
sudo systemctl list-units --type=service --state=running

# Disable unnecessary services
sudo systemctl disable cups
sudo systemctl disable avahi-daemon

Secure Shared Memory

Edit /etc/fstab and add:

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

Set Up Audit Logging

sudo apt install auditd -y
sudo systemctl enable auditd

Complete Security Checklist

Print this and check off each item:

System

  • [ ] System updated (apt update && apt upgrade)
  • [ ] Automatic security updates enabled
  • [ ] Unnecessary packages removed

Users

  • [ ] Non-root admin user created
  • [ ] Service user created for bot
  • [ ] Root account disabled for SSH

SSH

  • [ ] SSH port changed from 22
  • [ ] Password authentication disabled
  • [ ] Key-based authentication enabled
  • [ ] Root login disabled
  • [ ] MaxAuthTries set to 3

Firewall

  • [ ] UFW installed and enabled
  • [ ] Default deny incoming
  • [ ] Only necessary ports open
  • [ ] Bot ports NOT exposed directly

Intrusion Prevention

  • [ ] Fail2Ban installed
  • [ ] SSH jail configured
  • [ ] Ban time set (24h recommended)
  • [ ] Max retries set (3 recommended)

File Security

  • [ ] .env files chmod 600
  • [ ] Config files proper ownership
  • [ ] Bot runs as non-root user

Monitoring

  • [ ] Log rotation configured
  • [ ] Audit logging enabled
  • [ ] Uptime monitoring set up

Common Security Mistakes

| Mistake | Risk | Solution | |---------|------|----------| | Running as root | Full system compromise | Use dedicated service user | | Default SSH port | Easy target for bots | Change to custom port | | Password auth enabled | Brute force attacks | Use key-only authentication | | No firewall | All ports exposed | Enable UFW | | Exposed bot ports | Direct attacks on service | Use reverse proxy | | Weak .env permissions | Credential exposure | chmod 600 |

Why Professional Setup Matters

Configuring all of this correctly requires expertise and attention to detail. A single misconfiguration can leave your server vulnerable.

Our Premium VPS Setup includes:

  • Complete security hardening
  • SSH key setup and configuration
  • Firewall and Fail2Ban configuration
  • Proper user and permission setup
  • Ongoing security updates with maintenance plans

Don't leave security to chance. Contact us for professional setup.

Related Guides

Need a VPS for Your Bot?

We recommend Hostinger KVM 2 VPS - reliable, fast, and perfect for AI chatbots. Get started with our recommended setup.

Get Hostinger VPS

Need Help With Setup?

Got your VPS? Let us handle the technical work. Professional setup and maintenance for OpenClaw (formerly Clawd.bot).

View PricingContact Us

Related Articles