Pendahuluan
OpenClaw itu powerful. Dia bisa eksekusi shell command, akses database, trigger deployment, dan berbagai hal critical lainnya. Tapi dengan great power comes great responsibility—kalau ga diamankan dengan benar, OpenClaw bisa jadi backdoor buat attacker.
Artikel ini akan bahas cara mengamankan OpenClaw secara menyeluruh: dari authentication, token management, permission control, sampai security hardening tingkat production.
⚠️ Warning: Jangan pernah expose OpenClaw ke internet tanpa authentication. Ini seperti meninggalkan pintu rumah terbuka lebar dengan kunci di meja.
Threat Model: Apa yang Harus Dilindungi?
Sebelum setup security, pahami dulu ancaman yang mungkin terjadi:
🎯 Target Attacks
- Unauthorized API access
- Brute force auth
- Token theft/leakage
- Command injection
- Path traversal
- DoS/DDoS attacks
🛡️ Protection Layer
- Strong authentication
- Token rotation
- Permission-based access
- Input validation
- Rate limiting
- Firewall rules
Authentication Setup
First line of defense adalah authentication yang kuat.
1. Enable Authentication
nano ~/openclaw/.env# Authentication
AUTH_ENABLED=true
AUTH_METHOD=bearer # atau: basic, jwt, oauth
AUTH_TOKEN=
# Generate secure token dengan:
# openssl rand -hex 32 2. Multiple Authentication Methods
OpenClaw support berbagai auth method:
Bearer Token (Simpel)
AUTH_METHOD=bearer
AUTH_TOKEN=abc123xyz789secureRequest dengan curl:
curl -H "Authorization: Bearer abc123xyz789secure" \
http://localhost:3000/api/tasksJWT (Recommended for Production)
AUTH_METHOD=jwt
JWT_SECRET=your-super-secret-jwt-key
JWT_EXPIRY=24hGenerate JWT token:
npm run generate:jwt -- --user admin --permissions "tasks:read,tasks:write"OAuth 2.0 (Enterprise)
AUTH_METHOD=oauth
OAUTH_PROVIDER=google # atau: github, azure
OAUTH_CLIENT_ID=your-client-id
OAUTH_CLIENT_SECRET=your-client-secret
OAUTH_CALLBACK_URL=https://openclaw.yourdomain.com/auth/callback3. Multi-Factor Authentication (Optional)
MFA_ENABLED=true
MFA_METHOD=totp # Time-based OTP (Google Authenticator)
MFA_ISSUER=OpenClawToken Management
Token harus di-manage dengan benar untuk prevent unauthorized access.
1. Generate Secure Token
# Pakai OpenSSL (Linux/Mac)
openssl rand -hex 32
# Pakai Node.js
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
# Atau pakai OpenClaw CLI
npm run token:generate2. Token Rotation
Setup automatic token rotation untuk keamanan maksimal:
TOKEN_ROTATION_ENABLED=true
TOKEN_ROTATION_INTERVAL=7d # Rotate every 7 days
TOKEN_GRACE_PERIOD=1h # Old token valid for 1 hour after rotation3. Multiple API Keys
Buat multiple API key dengan permission berbeda:
nano ~/openclaw/config/api-keys.json{
"keys": [
{
"name": "admin-key",
"key": "ak_admin_xxxxxxxxxxxxxxxx",
"permissions": ["*"],
"createdAt": "2026-02-09",
"expiresAt": "2026-08-09"
},
{
"name": "readonly-key",
"key": "ak_readonly_yyyyyyyyyyyyyyyy",
"permissions": ["tasks:read", "logs:read"],
"createdAt": "2026-02-09",
"expiresAt": "2026-05-09"
},
{
"name": "webhook-key",
"key": "ak_webhook_zzzzzzzzzzzzzzzz",
"permissions": ["webhooks:receive"],
"ipWhitelist": ["203.0.113.0/24"],
"createdAt": "2026-02-09"
}
]
}Permission Control (RBAC)
Implement Role-Based Access Control untuk granular permission.
1. Define Roles
nano ~/openclaw/config/rbac.json{
"roles": {
"admin": {
"description": "Full access",
"permissions": ["*"]
},
"developer": {
"description": "Can deploy and manage tasks",
"permissions": [
"tasks:read",
"tasks:write",
"tasks:execute",
"deployments:trigger",
"logs:read"
]
},
"viewer": {
"description": "Read-only access",
"permissions": [
"tasks:read",
"logs:read",
"metrics:read"
]
},
"webhook": {
"description": "Only receive webhooks",
"permissions": [
"webhooks:receive"
]
}
}
}2. Assign Roles to Users/Keys
{
"users": [
{
"username": "[email protected]",
"role": "admin",
"apiKey": "ak_admin_xxx"
},
{
"username": "[email protected]",
"role": "developer",
"apiKey": "ak_dev_yyy"
},
{
"username": "[email protected]",
"role": "viewer",
"apiKey": "ak_viewer_zzz"
}
]
}3. Permission Enforcement
OpenClaw akan automatically check permission sebelum execute action:
// Example: User dengan role "viewer" coba trigger task
// Request:
curl -H "Authorization: Bearer ak_viewer_zzz" \
-X POST http://localhost:3000/api/tasks/backup-db/run
// Response:
{
"error": "Permission denied",
"required": "tasks:execute",
"current": ["tasks:read", "logs:read"]
}Rate Limiting
Protect dari brute force dan DoS attacks dengan rate limiting.
1. Global Rate Limit
RATE_LIMIT_ENABLED=true
RATE_LIMIT_WINDOW=15 # minutes
RATE_LIMIT_MAX=100 # requests per window
RATE_LIMIT_METHOD=sliding-window2. Per-Endpoint Rate Limit
{
"rateLimits": {
"/api/auth/login": {
"window": 15,
"max": 5,
"message": "Too many login attempts"
},
"/api/tasks/*/execute": {
"window": 60,
"max": 10,
"message": "Task execution rate limit exceeded"
},
"/webhooks/*": {
"window": 1,
"max": 100
}
}
}3. IP-based Blocking
IP_BLOCKING_ENABLED=true
IP_BLOCK_THRESHOLD=50 # Block after 50 failed attempts
IP_BLOCK_DURATION=24h # Block for 24 hours
IP_WHITELIST=127.0.0.1,10.0.0.0/8,your-vpn-ipSSL/TLS Setup
Kalau OpenClaw diakses dari internet, HTTPS itu wajib.
1. Let's Encrypt SSL
sudo apt install certbot -y
sudo certbot certonly --standalone -d openclaw.yourdomain.com2. Nginx Reverse Proxy dengan SSL
sudo nano /etc/nginx/sites-available/openclawserver {
listen 80;
server_name openclaw.yourdomain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name openclaw.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/openclaw.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/openclaw.yourdomain.com/privkey.pem;
# SSL Security
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# Security Headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Security
proxy_hide_header X-Powered-By;
# Rate limiting (Nginx level)
limit_req zone=api burst=20 nodelay;
}
}
# Rate limit zone
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginxFirewall Configuration
Setup firewall untuk filter traffic di network level.
1. UFW Basic Rules
# SSH (WAJIB! Jangan lupa ini)
sudo ufw allow 22/tcp
# HTTP & HTTPS (kalau pakai Nginx)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# OpenClaw port (kalau direct access)
# sudo ufw allow 3000/tcp from your-ip-address
# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Enable firewall
sudo ufw enable2. IP Whitelisting
# Allow only specific IPs
sudo ufw allow from your-office-ip/32 to any port 3000
sudo ufw allow from your-vpn-network/24 to any port 30003. Fail2ban Integration
sudo apt install fail2ban -y
sudo nano /etc/fail2ban/jail.local[openclaw]
enabled = true
port = 3000,80,443
filter = openclaw
logpath = /home/user/openclaw/logs/access.log
maxretry = 5
bantime = 3600
findtime = 600Audit Logging
Track semua activity untuk forensic analysis.
1. Enable Audit Logging
AUDIT_LOG_ENABLED=true
AUDIT_LOG_FILE=./logs/audit.log
AUDIT_LOG_LEVEL=verbose
# Log semua events
AUDIT_EVENTS=auth,tasks,api,shell,webhooks,errors2. Audit Log Format
Format log yang terstruktur:
{
"timestamp": "2026-02-09T10:30:50.123Z",
"event": "task.execute",
"user": "[email protected]",
"ip": "203.0.113.45",
"userAgent": "OpenClawCLI/1.0",
"taskId": "backup-database",
"action": "execute",
"result": "success",
"duration": 2500,
"metadata": {
"triggeredBy": "schedule"
}
}3. Log Analysis dengan AI
{
"name": "security-audit-analysis",
"schedule": "0 0 * * *",
"actions": [
{
"type": "shell",
"command": "cat logs/audit.log | tail -10000",
"output": "audit_logs"
},
{
"type": "ai-analyze",
"prompt": "Analyze these audit logs and identify suspicious activities, anomalies, or security threats",
"input": "{{audit_logs}}"
},
{
"type": "condition",
"if": "ai_response.threat_level == 'high'",
"then": [
{
"type": "notification",
"channel": "telegram",
"message": "🚨 Security Alert: {{ai_response.summary}}"
}
]
}
]
}Security Best Practices
✅ DO: Things You Should Do
- Always enable authentication
- Use strong, random tokens (min 32 characters)
- Enable SSL/TLS untuk production
- Setup rate limiting
- Regular token rotation
- Monitor audit logs
- Keep OpenClaw updated
- Use firewall dan IP whitelisting
- Implement RBAC
- Backup konfigurasi security
❌ DON'T: Things to Avoid
- Jangan expose OpenClaw tanpa auth
- Jangan hardcode token di code
- Jangan share API key publik
- Jangan pakai default password
- Jangan disable SSL di production
- Jangan log sensitive data (password, key)
- Jangan allow root shell command tanpa validasi
- Jangan ignore security updates
Security Checklist
- Authentication enabled dan tested
- API keys generated dengan secure method
- RBAC dikonfigurasi sesuai kebutuhan
- Rate limiting active
- SSL/TLS certificate installed dan valid
- Firewall rules configured
- Audit logging enabled
- Backup security config
- Regular security audit schedule
- Incident response plan documented
FAQ
Apakah Bearer Token cukup aman untuk production?
Untuk internal use atau kalau sudah diproteksi dengan firewall, Bearer Token cukup. Tapi untuk public-facing atau enterprise, disarankan pakai JWT atau OAuth dengan token rotation.
Bagaimana cara rotate API key tanpa downtime?
Generate key baru dulu, deploy ke semua client, tunggu beberapa hari (grace period), baru revoke key lama. OpenClaw support multiple active keys sekaligus.
Apakah harus pakai Nginx atau bisa direct HTTPS dari OpenClaw?
OpenClaw bisa serve HTTPS langsung, tapi Nginx sebagai reverse proxy lebih direkomendasikan karena lebih mature handling SSL, rate limiting, dan security headers.
Bagaimana cara handle kalau API key leaked?
1) Immediately revoke di OpenClaw, 2) Check audit log untuk activity suspicious, 3) Generate dan deploy key baru, 4) Investigate how it leaked, 5) Implement additional security measure.
Kesimpulan
Security bukan optional feature, tapi foundation yang harus solid sebelum OpenClaw dipakai untuk production. Dengan setup yang benar, kamu bisa tidur nyenyak tanpa khawatir OpenClaw jadi celah keamanan.
Key security layers:
- Authentication — Gate pertama, must be strong
- Authorization (RBAC) — Control siapa bisa apa
- Network security — Firewall, SSL, IP whitelisting
- Rate limiting — Prevent abuse dan DoS
- Audit logging — Track everything untuk forensic
Dan yang paling penting: security is ongoing process. Regular audit, update, dan monitoring adalah kewajiban kalau mau sistem tetap aman.
👉 Langkah Selanjutnya
🐳 Docker Deployment
Deploy OpenClaw dengan containerization untuk consistency dan portability
🏛️ Production Architecture
Enterprise-grade setup dengan high availability dan disaster recovery
🛡️ VPS dengan Security Features
VPS Indonesia SufaNet dilengkapi dengan:
- DDoS protection included
- Firewall management panel
- Automated backup (optional)
- SSL certificate support
- 24/7 security monitoring
Automation tanpa security = celah yang menunggu dieksploitasi.