How to Secure Self-Hosted AI Agents (VPS / Bare Metal)

SafeClaw by Authensor provides deny-by-default action gating for AI agents running on self-hosted infrastructure — whether that is a VPS from any provider, a dedicated server, or bare metal in your own data center. SafeClaw intercepts every action the agent attempts and enforces your YAML policy before execution, giving you application-level security controls that complement OS-level hardening. Install with npx @authensor/safeclaw and lock down your self-hosted AI agent deployment.

Prerequisites

• A Linux server (Ubuntu 22.04+, Debian 12+, or equivalent)
• Node.js 18+ installed
• Root or sudo access for OS-level hardening steps
• An AI agent using Claude, OpenAI, or any supported provider

Step 1 — Install SafeClaw

npx @authensor/safeclaw

Zero dependencies, MIT-licensed, 446 tests. Works identically whether you run on a $5 VPS or a rack-mounted server.

Step 2 — Define a Self-Hosted Policy

On self-hosted infrastructure you have full control, which means more attack surface. Lock it down aggressively:

version: 1
defaultAction: deny

rules:
  - action: "file:read"
    path: "/opt/agent/**"
    effect: allow

- action: "file:write"
    path: "/opt/agent/data/**"
    effect: allow

- action: "file:write"
    path: "/tmp/agent/**"
    effect: allow

- action: "file:read"
    path: "/etc/**"
    effect: deny
    reason: "Block reading system configuration"

- action: "file:read"
    path: "/home//.ssh/"
    effect: deny
    reason: "Block SSH key access"

- action: "network:request"
    host: "api.openai.com"
    effect: allow

- action: "network:request"
    host: "api.anthropic.com"
    effect: allow

- action: "network:request"
    host: "169.254.169.254"
    effect: deny
    reason: "Block cloud metadata if running on cloud VPS"

- action: "shell:execute"
    command: "rm *"
    effect: deny
    reason: "Block file deletion"

- action: "shell:execute"
    command: "sudo *"
    effect: deny
    reason: "Block privilege escalation"

- action: "shell:execute"
    command: "curl *"
    effect: deny
    reason: "Block arbitrary network tools"

- action: "env:read"
    key: "SSH_*"
    effect: deny

- action: "env:read"
    key: "HOME"
    effect: deny

Step 3 — Run as a Dedicated User

Never run an AI agent as root. Create a dedicated user with minimal permissions:

sudo useradd -r -m -d /opt/agent -s /usr/sbin/nologin agent-runner
sudo chown -R agent-runner:agent-runner /opt/agent

Step 4 — Create a systemd Service

# /etc/systemd/system/ai-agent.service
[Unit]
Description=AI Agent with SafeClaw Gating
After=network.target

[Service]
Type=simple
User=agent-runner
Group=agent-runner
WorkingDirectory=/opt/agent
ExecStart=/usr/bin/node agent.js
Restart=on-failure
RestartSec=5

OS-level hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/opt/agent/data /tmp/agent
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true

Environment=NODE_ENV=production
Environment=SAFECLAW_AUDIT_SINK=file
Environment=SAFECLAW_AUDIT_PATH=/opt/agent/data/audit.log

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload
sudo systemctl enable ai-agent
sudo systemctl start ai-agent

The systemd service provides OS-level isolation (ProtectSystem, ProtectHome, PrivateTmp). SafeClaw provides application-level action gating. Together they form defense-in-depth.

Step 5 — Docker Deployment (Alternative)

FROM node:20-slim
RUN useradd -r -m agent
WORKDIR /app
COPY package*.json ./
RUN npm ci --production
COPY . .
RUN npx @authensor/safeclaw
USER agent
CMD ["node", "agent.js"]

docker run -d \
  --name ai-agent \
  --read-only \
  --tmpfs /tmp \
  -v agent-data:/app/data \
  --cap-drop ALL \
  --security-opt no-new-privileges \
  ai-agent:latest

The --read-only flag makes the container filesystem immutable. SafeClaw allows writes only to /app/data and /tmp per policy.

Step 6 — OS-Level Firewall Rules

Complement SafeClaw's network policy with iptables or nftables:

# Allow only LLM API endpoints
sudo iptables -A OUTPUT -m owner --uid-owner agent-runner -d api.openai.com -j ACCEPT
sudo iptables -A OUTPUT -m owner --uid-owner agent-runner -d api.anthropic.com -j ACCEPT
sudo iptables -A OUTPUT -m owner --uid-owner agent-runner -j DROP

SafeClaw blocks at the application layer. iptables blocks at the network layer. Even if one fails, the other catches it.

Step 7 — Rotate and Archive Audit Logs

# /etc/logrotate.d/ai-agent
/opt/agent/data/audit.log {
    daily
    rotate 90
    compress
    missingok
    notifempty
    postrotate
        systemctl reload ai-agent
    endscript
}

Verify audit chain integrity periodically:

npx @authensor/safeclaw audit verify --file /opt/agent/data/audit.log --last 500

Why Self-Hosted Needs Extra Care

On managed platforms, the provider handles OS patching, network isolation, and credential management. On self-hosted infrastructure, you own all of it. SafeClaw ensures that even if your OS-level controls have gaps, the AI agent cannot execute unauthorized actions.

Related Pages

• Process Isolation for AI Agents
• Filesystem Isolation Deep Dive
• SafeClaw vs. Docker Only
• Privilege Escalation Threat
• Defense-in-Depth Pattern