Someone is hitting my OpenClaw instance from outside my network. What to do now.

TL;DR: Paste the diagnostic message below into your agent. If it says outside connections were getting through, follow Steps 2, 3, and 4. If it says everything was blocked, you are fine and nothing needs to change.

If your agent says there are no logs yet: Your setup has been running for a short time with no logged activity from outside. You are fine and can stop here.

If your agent says it cannot access logs or needs permission to run a command: It may need your approval to look at the system. If you see an approval prompt, allow it for this check. If it still cannot access them, skip to Step 2 and proceed as a precaution.

Platform notes

Running OpenClaw inside WSL2 on Windows: WSL2 (Windows Subsystem for Linux, a way to run Linux software inside Windows) has its own internal loopback. Setting gateway.bind to 127.0.0.1 inside WSL2 locks access to WSL’s internal environment, not to your Windows machine as a whole. If you were reaching your agent from a Windows app running outside WSL, that will stop working after this change. That is the correct outcome for security. The SSH tunneling article covers how to set up access between WSL2 and Windows apps.

If you are using a managed or cloud-hosted version of OpenClaw (rather than running your own instance): the gateway and firewall steps do not apply to your setup. Your hosting provider manages those. Skip to Step 4.

If your agent says it cannot make this change: Some setups restrict what the agent can modify. If that happens, you can do it manually. Open the file called openclaw.json. On Mac and Linux it lives at ~/.openclaw/openclaw.json, on Windows at %APPDATA%\openclaw\openclaw.json. Find the section that starts with "gateway" and update it to read "bind": "127.0.0.1:18789". Save the file, then restart OpenClaw the same way you normally start it.

Note on remote access: If you were accessing your agent from your phone, a second computer, or any other device by connecting to it directly (not through Discord, Telegram, or another chat integration), that direct path will stop working after this change. That is what you want. Your Discord and Telegram integrations are not affected. The SSH tunneling article covers how to reach your agent securely from anywhere without opening a port.

Your agent may ask you to approve this action. Firewall changes require elevated system permissions. If you see an approval prompt, read what it says and approve it if the description matches closing port 18789. That prompt exists to make sure your agent does not change system settings without your knowledge. Approving it for this specific action is correct.

If you need to do this manually on Ubuntu Linux: UFW is the standard firewall tool on Ubuntu. On a fresh Ubuntu server, it handles port rules. Run sudo ufw status to check whether port 18789 appears. If it does, run sudo ufw delete allow 18789 to remove the rule. If UFW says “Could not delete non-existent rule,” the port was never open and you are done.

If you are on Windows (not WSL): Windows Firewall manages port rules. From PowerShell or Command Prompt, run: netsh advfirewall firewall delete rule name="openclaw" protocol=TCP localport=18789. If no rule by that name exists, the port was never open.

If you are on a cloud server (DigitalOcean, AWS, Hetzner, or similar): your hosting provider maintains a separate firewall above the server level. Changes your agent makes on the server do not affect this outer firewall. Log into your provider’s dashboard, find the firewall or networking section for your server, and confirm port 18789 is not listed as open to the world. If it is, remove that rule. Search for “[your provider] firewall rules” if you are not sure where to find it.

Where to find API keys on common services:
OpenAI: platform.openai.com/api-keys
Anthropic: console.anthropic.com/account/keys
DeepSeek: log in and look for API or developer settings
Other services: search “[service name] API keys” and look for the developer or account section

Before replacing SSH keys: Generating new SSH keys and removing old ones in the wrong order can lock you out of your server permanently. This is why you follow your hosting provider’s guide rather than guessing the order. Your provider has a step-by-step guide for this specific to their platform. Search for “[your provider] regenerate SSH key”. DigitalOcean, Hetzner, and AWS all have guides that walk through this safely. Do not delete the old key until the new one is confirmed working.

Complete hardening guide

Brand New Claw

The full security baseline for OpenClaw operators. Gateway config, exec approvals, plugin vetting, tool scoping, and a hardened config you can drop straight into your agent.

Get it for $37 →

My agent found outside connection attempts but they all got errors. Do I need to do anything?

I changed the gateway setting but now I cannot reach my agent from my phone or a second computer. Did something break?

What does it mean to “rotate” an API key?

How did my gateway end up accepting outside connections in the first place?

Do I need to reinstall OpenClaw?

Should I report this to the OpenClaw team?

I am on a cloud server. My hosting provider’s firewall shows port 18789 open. Why would it be open?

Understanding the attack surface

When someone connects to your OpenClaw gateway from outside, what can they actually do? The answer depends on your configuration, but the default is worse than most operators expect.

The gateway is an HTTP API. With no authentication layer (the default), anyone who can reach it can:

• Send messages to your agent as if they are you
• Ask the agent to read any file in the workspace (including openclaw.json with all your credentials)
• Trigger exec tool calls that run shell commands on your server
• Send messages through any connected channel (Telegram, Discord, email)
• Access memory contents and stored context
• Trigger any automation the agent has access to

Check my current gateway configuration. Is authentication enabled? What tools does the agent have access to? If someone connected from outside right now, what would they be able to do? Give me a realistic worst-case scenario.

Forensic analysis of the access

Before closing the vulnerability, gather evidence of what happened. This helps you understand the scope of any breach.

Check the gateway logs for any requests from external IP addresses. Show me the timestamp, source IP, and request type for each external connection in the last 30 days. If logs are not available, tell me how to enable them.

Check session history for any sessions that were not initiated by me. Look for sessions with unfamiliar user identifiers, sessions at unusual times, or sessions that made suspicious requests (reading openclaw.json, running exec commands, accessing credentials).

Check my workspace files for any modifications I did not make. Compare the current state against the last known good git commit. Flag any files that were added, modified, or deleted by an unknown session.

Hardening after the incident

Once the immediate threat is contained, implement hardening to prevent recurrence.

• Set gateway.bind to 127.0.0.1: This is the single most important change. It prevents the gateway from accepting connections from any network interface except loopback.
• Configure firewall rules: Block the gateway port (default 18789) from external access at the OS firewall level as a secondary defense.
• Review cloud firewall: If running on a cloud provider, ensure the security group or firewall rules do not allow inbound traffic to the gateway port.

Implement all three network hardening measures: set gateway.bind to 127.0.0.1, add a firewall rule blocking external access to port 18789, and verify my cloud provider firewall settings. Show me the commands and confirm each is applied.

Review my exec tool permissions. If exec.security is set to “full”, change it to an allowlist that only permits commands I actually need. Show me a recommended allowlist based on my current usage.

Ongoing monitoring for external access

Set up monitoring to detect future unauthorized access attempts early.

Set up a cron job that checks for any connections to the gateway from non-loopback addresses every hour. If any are found, send me an immediate Telegram alert with the source IP, timestamp, and what was requested.

Create a weekly security audit cron job that checks: gateway bind address is still 127.0.0.1, firewall rules are in place, no unexpected open ports, and no unauthorized sessions in the last week. Send me a summary report to Telegram every Sunday.

Documenting the incident

Record what happened for future reference. This helps with pattern recognition if similar incidents occur.

Write an incident report for what just happened. Include: timeline (when the exposure started, when it was discovered, when it was closed), what was exposed, what actions were taken, what evidence of unauthorized access was found, and what hardening measures were implemented. Save it to workspace/incidents/ for future reference.

Common attack scenarios and what they look like

Understanding what an attacker does with gateway access helps you recognize the signs in your logs and session history.

The attacker sends a message asking the agent to read the config file and output all API keys. This is the fastest way to monetize gateway access. In session history, it looks like a single message asking to read openclaw.json or “show me all my API keys.”

Search my session history for any messages that asked to read openclaw.json, display API keys, show credentials, or output configuration secrets. Flag anything suspicious.

The attacker uses your agent to run expensive API calls through your accounts. They may ask the agent to generate large volumes of text, process documents, or run lengthy research tasks, all billed to your API keys. In session history, this looks like unfamiliar tasks or unusually long sessions.

Check my API provider dashboards for unusual usage during the exposure period. Look for: usage spikes that do not correlate with my normal activity, requests from unfamiliar IP addresses, and any models called that I do not normally use.

The attacker uses the exec tool to explore your server, install backdoors, or pivot to other systems on your network. This is the most dangerous scenario because it can persist even after you close the gateway vulnerability. In session history, look for exec commands that probe the filesystem, install software, or make network connections.

Check for signs of lateral movement: any exec commands that installed software, created new user accounts, modified SSH keys, opened ports, or established outbound network connections. Also check for any new files in system directories that I did not create.

The attacker sends messages through your connected channels (Telegram, Discord) to your contacts, posing as you or your bot. This can be used for phishing, spreading malware, or social engineering your contacts.

Check my Telegram and Discord message history for any messages I did not send. Look especially for messages to new contacts or channels, messages containing links, and messages that ask recipients to do something (click a link, send money, share information).

Severity assessment framework

Not all external access is equally dangerous. This framework helps you prioritize response actions.

Based on the evidence gathered so far, classify my incident severity using this framework. Tell me which response actions I need to take and in what order.

Post-incident hardening checklist

After closing the immediate threat, work through this checklist to harden your setup against future incidents.

1. ✅ gateway.bind set to 127.0.0.1
2. ✅ OS firewall blocking gateway port from external access
3. ✅ Cloud provider firewall (if applicable) blocking gateway port
4. ✅ exec.security set to allowlist (not “full”)
5. ✅ All API keys rotated
6. ✅ All bot tokens regenerated
7. ✅ Session history reviewed for unauthorized access
8. ✅ Server checked for persistence mechanisms (SSH keys, cron jobs, new users)
9. ✅ Monitoring cron job set up for gateway bind regression
10. ✅ Incident documented in workspace/incidents/

Run through the post-incident hardening checklist. For each item, check whether it has been done and report the status. For any items not yet completed, show me the exact steps to complete them.

When to consider rebuilding the server

Rebuilding from a clean image is the nuclear option but sometimes the right call. Consider it when:

• Evidence of exec commands run by an unknown party, especially commands that modify system files, install software, or create network connections
• Persistence mechanisms found (unauthorized SSH keys, cron jobs, user accounts)
• Extended exposure window (weeks or months) with exec.security set to “full”
• Inability to fully audit all changes made during the exposure window

Rebuilding takes time but gives certainty. Patching an actively compromised server leaves uncertainty about what else may have been changed that you did not find.

Based on the forensic analysis results, do I need to rebuild from a clean image? If yes, what data do I need to back up first and what is the rebuild process? If no, what gives you confidence that the server is clean?

Prevention architecture for future deployments

When setting up new OpenClaw instances (or rebuilding after an incident), build security in from the start rather than retrofitting it.

Layer multiple defenses so that failure of any single layer does not expose the gateway:

• Layer 1 (gateway config): gateway.bind = 127.0.0.1
• Layer 2 (OS firewall): ufw deny 18789/tcp from any
• Layer 3 (cloud firewall): No inbound rule for port 18789
• Layer 4 (tool permissions): exec.security = allowlist
• Layer 5 (monitoring): Cron checks for bind regression

Implement the full defense-in-depth architecture for my setup. For each layer, show me the current status and the command to implement it if missing.

Additional questions

Yes, if exec.security allows arbitrary commands. An attacker can use the exec tool to scan your local network, attempt connections to internal services, and potentially pivot to other machines. This is why restricting exec permissions is critical even when the gateway is not directly exposed.

Check for: new entries in ~/.ssh/authorized_keys, new cron jobs (crontab -l and files in /etc/cron.d/), new user accounts in /etc/passwd, modified system binaries (check with package manager verify commands), and new systemd services. If any of these show unexpected entries, a server rebuild is recommended.

Before patching or rebuilding, copy the following: gateway access logs (if they exist), session history files (in your OpenClaw data directory), system auth logs (/var/log/auth.log), and any output from the forensic analysis commands run earlier. Store these on a separate device or cloud storage. They are your evidence trail and may be needed if you discover the compromise was worse than initially assessed. If you need to involve law enforcement or notify affected parties later, these logs are the foundation of that process. Do not delete or modify them until the incident is fully resolved and documented.

For a complete security hardening walkthrough that covers gateway configuration, firewall setup, tool permission management, credential rotation, monitoring, and incident response planning in a single comprehensive guide, see the Brand New Claw product page. Every recommendation in this article and more, organized as a sequential checklist you can work through in one session.

Keep Reading:

Go deeper