🦞ClawTips
← Back to library

安全加固防锁死:把 SSH/Fail2Ban/UFW/Tailscale 改为分阶段上线

问题/场景:一次性加固 SSH、防火墙与网络隔离时容易把自己锁在门外。前置:有控制台或备用回滚入口。实施步骤:先备份现网,再单项变更并逐项验证,最后再叠加策略。关键命令:`sshd -t`、`ufw status verbose`。验证:每一步变更后都能保持 SSH 与 OpenClaw 可用。风险:无 out-of-band 控制台时,高风险变更应延后。来源:Reddit 实战复盘,结合常见运维基线整理。

REDDITDiscovered 2026-02-20Author u/OkQuality9465
Prerequisites
  • You have a break-glass access path (cloud console, serial, or KVM).
  • Current SSH + firewall config backups are saved before changes.
Steps
  1. Start from inventory: list active listeners, current SSH auth mode, firewall rules, and OpenClaw bind/auth settings.
  2. Apply one control at a time (e.g., SSH key-only), validate with a second terminal session before proceeding.
  3. Enable Fail2Ban/UFW incrementally; whitelist required management IP/VPN paths first.
  4. Move OpenClaw exposure behind private networking (Tailscale/VPN) and keep gateway auth in token mode.
  5. Run post-change checks: SSH reconnect, `openclaw gateway status`, and one real command from your messaging channel.
Commands
sshd -t
sudo systemctl reload sshd
sudo ufw status verbose
openclaw gateway status
openclaw doctor
Verify

After each hardening step, SSH remains reachable and OpenClaw still responds through the intended channel.

Caveats
  • Do not enable multiple blocking controls simultaneously on remote hosts without console fallback.
  • Fail2Ban/UFW exact policy values depend on traffic profile and may need host-specific tuning(需验证).
Source attribution

This tip is aggregated from community/public sources and preserved with attribution.

Open original source ↗
Visit original post