Is Your OpenClaw Server Exposed? How to Check and Fix It

Quick Check: Are You Exposed?

Run this test from a different network (not your server):

curl -I https://your-domain.com

If you see the OpenClaw Control interface without being prompted for authentication, your server is exposed.

How to Check on Shodan

Shodan indexes internet-facing services. Search for:

"OpenClaw Control"

If your server IP appears in results, attackers can find it too.

Signs Your Server May Be Compromised

Check for these warning signs immediately:

1. Unusual API Usage

Log into Anthropic Console and check:

Unexpected spikes in API calls
Usage during times you weren't active
Higher than expected bills

2. Unknown Conversations

Review your conversation logs:

# Check recent conversations
ls -la /opt/openclaw/conversations/

Look for conversations you don't recognize.

3. Modified Configuration

Check if your config was changed:

# Check modification time
ls -la /opt/openclaw/config.*

# View recent changes (if using git)
cd /opt/openclaw && git diff

4. Suspicious System Activity

# Check for new user accounts
cat /etc/passwd | tail -10

# Look for unexpected processes
ps aux | grep -v "^root\|^www-data\|^nobody"

# Check crontab for persistence
crontab -l
sudo crontab -l

# Check for recent logins
last -20
lastb -20  # Failed login attempts

5. Outbound Connections

# Check active connections
netstat -tulpn

# Look for unusual outbound connections
ss -tuln

Immediate Steps If Exposed

Step 1: Stop the Bot

pm2 stop openclaw
# or
systemctl stop openclaw
# or
pkill -f openclaw

Step 2: Block External Access

# Temporarily block all traffic except SSH
sudo ufw reset
sudo ufw default deny incoming
sudo ufw allow 22/tcp  # Or your SSH port
sudo ufw enable

Step 3: Rotate All Credentials

Critical: Change every credential the bot had access to.

| Credential | Where to Rotate | |------------|-----------------| | Anthropic API Key | console.anthropic.com | | Discord Bot Token | Discord Developer Portal | | OpenAI API Key | platform.openai.com | | Any other API keys | Respective provider dashboards |

Update your .env file:

nano /opt/openclaw/.env
# Update all rotated keys

Step 4: Check for Persistence

Attackers often install backdoors. Check:

# Check crontabs
crontab -l
sudo crontab -l
ls -la /etc/cron.d/

# Check SSH keys
cat ~/.ssh/authorized_keys
cat /root/.ssh/authorized_keys

# Check running services
systemctl list-units --type=service --state=running

Step 5: Review Logs

# Check auth logs for unauthorized access
sudo grep "Accepted\|Failed" /var/log/auth.log | tail -100

# Check nginx access logs
sudo tail -500 /var/log/nginx/access.log | grep -v "200\|301\|304"

How to Fix the Vulnerability

Fix 1: Enable Gateway Authentication

Edit your OpenClaw configuration:

gateway:
  auth:
    password: "generate-a-strong-password"

Generate a strong password:

openssl rand -base64 32

Fix 2: Configure Trusted Proxies

If using nginx or Caddy as reverse proxy:

gateway:
  auth:
    password: "your-password"
  trustedProxies:
    - "127.0.0.1"
    - "::1"

Fix 3: Configure Nginx Correctly

server {
    listen 443 ssl http2;
    server_name your-domain.com;

    # SSL configuration
    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;

        # Forward real IP
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;

        # WebSocket support
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Rate limiting (optional but recommended)
        limit_req zone=openclaw burst=20 nodelay;
    }
}

Fix 4: Configure Caddy Correctly

your-domain.com {
    reverse_proxy localhost:3000 {
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
    }
}

Fix 5: Restart Services

# Test nginx config
sudo nginx -t

# Restart nginx
sudo systemctl restart nginx

# Restart bot
pm2 restart openclaw

Verify the Fix

Test Authentication

From an external network:

curl -I https://your-domain.com

You should now get a 401 Unauthorized or authentication prompt.

Monitor Access Logs

# Watch for suspicious access attempts
sudo tail -f /var/log/nginx/access.log

When to Rebuild From Scratch

Consider a complete server rebuild if:

Root access was possible
Unknown processes were found
SSH keys were modified
You cannot determine what was accessed
The server was exposed for an extended period

A fresh start eliminates any hidden backdoors.

Prevention Checklist

After fixing, implement these preventive measures:

[ ] Gateway password configured
[ ] Trusted proxies configured
[ ] Firewall enabled (UFW)
[ ] Fail2Ban installed
[ ] SSH hardened (key-only, custom port)
[ ] Regular credential rotation scheduled
[ ] Monitoring/alerting set up
[ ] Automatic security updates enabled

Don't Want to Handle This Yourself?

Security configuration is complex and mistakes can be costly. Our Professional Setup includes:

Complete security hardening
Proper reverse proxy configuration
Firewall and intrusion prevention
Ongoing security monitoring

Exposed server? Contact us immediately for emergency assistance.