Key security properties of this deployment:
0.0.0.0/0 — restrict before production (see Security Hardening)secrets/inputs.sh or secrets/.env127.0.0.1 — never directly exposed to the internet| Topic | Doc |
|---|---|
| Firewall, SSH hardening, SOPS, fail2ban, sudo scoping | Security Hardening |
| Vulnerability reporting, threat model, best practices | Security Policy |
Security Hardening Overview of all security controls applied to the OpenClaw VPS. Firewall Two firewall layers run in series. Hetzner Cloud Firewall (network-level) Managed in Terraform (terraform/modules/hetzner-vps/main.tf). Applied at the hypervisor — traffic is dropped before it reaches the OS. Direction Protocol Port Source Condition Inbound TCP 22 ssh_allowed_cidrs variable Always Inbound UDP 41641 0.0.0.0/0, ::/0 Only if Tailscale on Outbound TCP 1–65535 0.0.0.0/0, ::/0 Always Outbound UDP 1–65535 0.0.0.0/0, ::/0 Always Outbound ICMP — 0.0.0.0/0, ::/0 Always ssh_allowed_cidrs defaults to ["0.0.0.0/0"]. For tighter access, set it to specific IPs in secrets/inputs.sh, or set it to [] to block public SSH entirely (Tailscale-only mode). ...
Security Policy Reporting a Vulnerability If you discover a security vulnerability in this project, please report it responsibly: Do NOT open a public GitHub issue Use GitHub Security Advisories to report vulnerabilities privately Include: Description of the vulnerability Steps to reproduce Potential impact Suggested fix (if you have one) We aim to respond to security reports within 48 hours and will work with you to understand and address the issue. Supported Versions Version Supported main :white_check_mark: < 1.0 :x: Security Considerations Infrastructure Security This project deploys cloud infrastructure. Please be aware of: ...