🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

Security Dashboard

by @vegasbrianc

Real-time security monitoring dashboard for OpenClaw and Linux server infrastructure. Monitors gateway status, network security, public exposure, system updates, SSH access, TLS certificates, and resource usage.

Versionv1.2.1
Downloads2,130
Installs6
Stars⭐ 2
TERMINAL
clawhub install security-dashboard

πŸ“– About This Skill


name: security-dashboard description: Real-time security monitoring dashboard for OpenClaw and Linux server infrastructure. Monitors gateway status, network security, public exposure, system updates, SSH access, TLS certificates, and resource usage.

Security Dashboard Skill

Real-time security monitoring dashboard for OpenClaw and Linux server infrastructure.

Features

  • OpenClaw Security: Gateway status, binding, authentication, sessions, version tracking
  • Network Security: Tailscale status, public ports, firewall, active connections
  • Public Exposure: Port binding analysis, dashboard security, exposure level assessment
  • System Security: Updates, uptime, load, failed login attempts
  • SSH & Access: Password auth status, fail2ban, banned IPs, active sessions
  • Certificates & TLS: Caddy status, TLS configuration, WireGuard encryption
  • Resource Security: CPU/memory/disk usage, config file permissions
  • Installation

    1. Install the Skill

    cd /root/clawd/skills/security-dashboard
    sudo ./scripts/install.sh
    

    This will:

  • Ask user preference: Run as dedicated user (recommended) or root
  • Create openclaw-dashboard user with limited sudo privileges (if non-root)
  • Create systemd service with security hardening
  • Configure localhost binding (127.0.0.1 only)
  • Start the dashboard on port 18791
  • Enable auto-start on boot
  • Security Note: Running as a dedicated user with limited sudo is recommended. The dashboard only needs sudo for security checks (fail2ban, firewall, systemctl status) - not full root access.

    2. Access the Dashboard

    Localhost only (secure by default):

    Via SSH port forwarding:

    ssh -L 18791:localhost:18791 root@YOUR_SERVER_IP
    

    Then visit: http://localhost:18791

    Usage

    Start/Stop/Restart

    sudo systemctl start security-dashboard
    sudo systemctl stop security-dashboard
    sudo systemctl restart security-dashboard
    

    Check Status

    sudo systemctl status security-dashboard
    

    View Logs

    sudo journalctl -u security-dashboard -f
    

    API Endpoint

    Get raw security metrics:

    curl http://localhost:18791/api/security | jq
    

    Security Hardening

    The dashboard follows security best practices to minimize attack surface:

    Dedicated User (Recommended)

    The install script creates a openclaw-dashboard user with limited sudo privileges:
  • βœ… No shell access (/bin/false)
  • βœ… No home directory
  • βœ… Only specific sudo commands allowed (fail2ban, firewall, systemctl status)
  • βœ… Cannot execute arbitrary commands
  • Systemd Hardening

    Service runs with security restrictions:
    NoNewPrivileges=true      # Cannot escalate privileges
    PrivateTmp=true          # Isolated tmp directory
    ProtectSystem=strict     # Read-only filesystem except skill dir
    ProtectHome=true         # No access to /home
    ReadWritePaths=...       # Only skill directory is writable
    Restart=on-failure       # Restart only on crashes (not always)
    

    Network Binding

  • Default: 127.0.0.1 (localhost only)
  • Not accessible from network without SSH tunnel or VPN
  • No public exposure risk
  • Running as Root (Not Recommended)

    If you choose root during install:
  • ⚠️ Full system access if compromised
  • ⚠️ No privilege separation
  • ⚠️ Only suitable for trusted, isolated environments
  • Use the dedicated user option for production deployments.

    Configuration

    Change Port

    Edit /root/clawd/skills/security-dashboard/server.js:

    const PORT = 18791; // Change this
    

    Then restart:

    sudo systemctl restart security-dashboard
    

    Change Binding

    Default: 127.0.0.1 (localhost only - secure) Alternative: 0.0.0.0 (all interfaces - only with Tailscale!)

    Edit server.js line 445:

    server.listen(PORT, '127.0.0.1', () => {
      // Change '127.0.0.1' to '0.0.0.0' if needed
    });
    

    ⚠️ Security Warning: Only bind to 0.0.0.0 if behind Tailscale or firewall!

    Customize Metrics

    Add custom checks in server.js:

  • getOpenClawMetrics() - OpenClaw-specific metrics
  • getNetworkMetrics() - Network security
  • getSystemMetrics() - System-level checks
  • getPublicExposure() - Port/binding analysis
  • Dashboard Sections

    🦞 OpenClaw Security

  • Gateway running/stopped status
  • Binding configuration (loopback/public)
  • Auth token length and mode
  • Active sessions + subagents
  • Skills count
  • Current version + update availability
  • 🌐 Network Security

  • Tailscale connection status + IP
  • Public ports count
  • Firewall status (UFW/firewalld)
  • Active TCP connections
  • 🌍 Public Exposure

  • Exposure level (Excellent/Minimal/Warning/High)
  • Public port details (service names)
  • Kanban board binding
  • Security dashboard binding
  • OpenClaw gateway binding
  • Tailscale active/inactive
  • Security recommendations
  • πŸ–₯️ System Security

  • Updates available
  • Server uptime
  • Load average
  • Failed SSH logins (24h)
  • Root processes count
  • πŸ”‘ SSH & Access Control

  • SSH service status
  • Password authentication (enabled/disabled)
  • fail2ban status
  • Banned IPs count
  • Active SSH sessions
  • πŸ“œ Certificates & TLS

  • Caddy status
  • Public TLS enabled/disabled
  • Tailscale WireGuard encryption
  • πŸ“Š Resource Security

  • CPU usage percentage
  • Memory usage percentage
  • Disk usage percentage
  • Config file permissions (should be 600)
  • Security Alerts

    Dashboard generates real-time alerts:

    Critical (Red):

  • Weak gateway token (< 32 chars)
  • SSH password authentication enabled
  • Insecure config permissions (not 600)
  • Firewall inactive (UFW/firewalld not running)
  • fail2ban inactive (SSH brute-force protection disabled)
  • Warning (Yellow):

  • Tailscale disconnected
  • 20+ system updates available
  • 10+ failed login attempts in 24h
  • Disk > 80% full
  • Info (Blue):

  • Gateway exposed without Tailscale
  • Non-standard configurations
  • Integration Points

    Morning Briefing

    Add security status to morning report:
    curl -s http://localhost:18791/api/security | jq '.status'
    

    Heartbeat Checks

    Monitor for critical alerts:
    curl -s http://localhost:18791/api/security | \
      jq '.alerts[] | select(.level == "critical")'
    

    Alerting Integration

    Pipe alerts to notification systems:
    ./scripts/check-alerts.sh | xargs -I {} notify-send "Security Alert" "{}"
    

    Architecture

    Backend: Node.js HTTP server Frontend: Vanilla JavaScript (no frameworks) Port: 18791 (configurable) Binding: 127.0.0.1 (localhost only) Service: systemd unit

    Files:

  • server.js - Main backend (metrics collection + API)
  • public/index.html - Dashboard UI
  • lib/ - Shared utilities (if needed)
  • Dependencies

  • Node.js (v18+)
  • systemctl - Service management
  • ss - Socket statistics
  • ufw or firewalld - Firewall check
  • tailscale - VPN status (optional)
  • fail2ban - Ban tracking (optional)
  • openclaw - Gateway monitoring
  • All dependencies are standard Linux utilities except OpenClaw.

    Troubleshooting

    Dashboard not loading

    1. Check service status:

       sudo systemctl status security-dashboard
       

    2. Check logs:

       sudo journalctl -u security-dashboard -n 50
       

    3. Verify port is listening:

       ss -tlnp | grep 18791
       

    4. Test API directly:

       curl http://localhost:18791/api/security
       

    Gateway Status "Unknown"

  • Verify OpenClaw gateway is running:
  •   pgrep -f openclaw-gateway
      

  • Check OpenClaw config exists:
  •   cat ~/.openclaw/openclaw.json
      

    Metrics showing "Unknown"

  • Commands may require sudo permissions
  • Check script execution permissions
  • Verify paths exist (sessions, skills, etc.)
  • Uninstall

    sudo systemctl stop security-dashboard
    sudo systemctl disable security-dashboard
    sudo rm /etc/systemd/system/security-dashboard.service
    sudo systemctl daemon-reload
    

    Then remove skill directory:

    rm -rf /root/clawd/skills/security-dashboard
    

    Publishing

    To publish to ClawdHub:

    clawdhub publish security-dashboard
    

    License

    MIT

    Author

    Created by Erdma for Brian Christner's infrastructure monitoring.

    πŸ’‘ Examples

    Start/Stop/Restart

    sudo systemctl start security-dashboard
    sudo systemctl stop security-dashboard
    sudo systemctl restart security-dashboard
    

    Check Status

    sudo systemctl status security-dashboard
    

    View Logs

    sudo journalctl -u security-dashboard -f
    

    API Endpoint

    Get raw security metrics:

    curl http://localhost:18791/api/security | jq
    

    βš™οΈ Configuration

    Change Port

    Edit /root/clawd/skills/security-dashboard/server.js:

    const PORT = 18791; // Change this
    

    Then restart:

    sudo systemctl restart security-dashboard
    

    Change Binding

    Default: 127.0.0.1 (localhost only - secure) Alternative: 0.0.0.0 (all interfaces - only with Tailscale!)

    Edit server.js line 445:

    server.listen(PORT, '127.0.0.1', () => {
      // Change '127.0.0.1' to '0.0.0.0' if needed
    });
    

    ⚠️ Security Warning: Only bind to 0.0.0.0 if behind Tailscale or firewall!

    Customize Metrics

    Add custom checks in server.js:

  • getOpenClawMetrics() - OpenClaw-specific metrics
  • getNetworkMetrics() - Network security
  • getSystemMetrics() - System-level checks
  • getPublicExposure() - Port/binding analysis
  • πŸ“‹ Tips & Best Practices

    Dashboard not loading

    1. Check service status:

       sudo systemctl status security-dashboard
       

    2. Check logs:

       sudo journalctl -u security-dashboard -n 50
       

    3. Verify port is listening:

       ss -tlnp | grep 18791
       

    4. Test API directly:

       curl http://localhost:18791/api/security
       

    Gateway Status "Unknown"

  • Verify OpenClaw gateway is running:
  •   pgrep -f openclaw-gateway
      

  • Check OpenClaw config exists:
  •   cat ~/.openclaw/openclaw.json
      

    Metrics showing "Unknown"

  • Commands may require sudo permissions
  • Check script execution permissions
  • Verify paths exist (sessions, skills, etc.)