🔐

I Was Terrified of Hackers Breaking Into My AI Server

How I Secured My MoltBot Setup Without Being a Security Expert

🛡️ 16 min read • Security Guide • February 2026

Let me tell you about the nightmare that kept me awake: I had just set up MoltBot on my home server, everything was working perfectly, and then I read a Reddit post about someone's self-hosted AI getting hijacked.

My stomach dropped.

I had opened port 11434 to the internet. I had no firewall rules. I was basically running a "please hack me" sign on my network.

Sound familiar? If you've set up MoltBot or ClawdBot and you're worried about security, this guide is for you. I spent two weeks learning everything I could about securing self-hosted AI, and I'm sharing it all here.

😰 The Real Risks (Let's Be Honest)

Before we fix anything, let's understand what we're actually protecting against:

Risk #1: Unauthorized Access

Someone finds your open Ollama port and uses your computer to run their own AI queries. Your electricity bill goes up, your computer slows down.

Risk #2: Data Exposure

If your MoltBot has access to your files, an attacker could potentially read them through the AI interface.

Risk #3: Network Pivot

Your AI server becomes an entry point to attack other devices on your home network.

Risk #4: Crypto Mining

Attackers install mining software on your machine. Your GPU works for them while you pay the electricity.

Okay, now that we're properly scared, let's fix everything. 😅

🟢 Level 1: Basic Security (Everyone Should Do This)

These steps take 10 minutes and block 90% of attacks.

1.1 - Never Expose Ollama Directly to Internet

By default, Ollama only listens on localhost (127.0.0.1). Keep it that way.

❌ NEVER do this:

OLLAMA_HOST=0.0.0.0:11434

This exposes Ollama to your entire network and potentially the internet.

✅ Keep it like this:

OLLAMA_HOST=127.0.0.1:11434

Only your local machine can access Ollama. MoltBot connects locally.

1.2 - Enable the Firewall

If you're on Linux (which most servers use), enable UFW:

# Install UFW if not present
sudo apt install ufw

# Allow SSH (so you don't lock yourself out!)
sudo ufw allow ssh

# Enable the firewall
sudo ufw enable

# Check status
sudo ufw status

That's it. Your server now blocks all incoming connections except SSH.

1.3 - Use Strong Passwords / SSH Keys

If you're accessing your server via SSH, disable password login and use keys:

# On your local computer, generate a key
ssh-keygen -t ed25519

# Copy it to your server
ssh-copy-id user@your-server-ip

# Then on the server, disable password login
sudo nano /etc/ssh/sshd_config
# Find and change: PasswordAuthentication no
sudo systemctl restart sshd

🟡 Level 2: Intermediate Security (Recommended)

If you want to access MoltBot from outside your home (like from your phone), do these steps.

2.1 - Use a Reverse Proxy with HTTPS

Instead of exposing ports directly, use Caddy as a reverse proxy. It automatically handles HTTPS certificates.

# Install Caddy
sudo apt install caddy

# Edit Caddy config
sudo nano /etc/caddy/Caddyfile

Add this configuration (replace with your domain):

yourdomain.com {
reverse_proxy localhost:3000
}

Caddy will automatically get an SSL certificate. All traffic is now encrypted.

2.2 - Add Authentication to MoltBot

In your MoltBot .env file, enable authentication:

# Enable authentication
AUTH_ENABLED=true

# Generate a random token (use a password generator)
AUTH_TOKEN=your-super-secret-random-token-here

# Limit which Telegram users can use the bot
ALLOWED_USERS=123456789,987654321

How to find your Telegram user ID: Message @userinfobot on Telegram. It will tell you your ID.

2.3 - Change Default Ports

Automated scanners look for default ports. Changing them adds a layer of obscurity:

# In your .env, use a non-standard port
PORT=47291

# Update firewall to allow only this port
sudo ufw allow 47291/tcp

🔴 Level 3: Advanced Security (For the Paranoid)

These are extra steps for maximum protection.

3.1 - Use a VPN (Tailscale)

The safest option: don't expose anything to the internet. Use Tailscale to create a private network.

Why Tailscale is amazing:

Free for personal use (up to 100 devices)
Works through firewalls and NAT
End-to-end encrypted
Your server is invisible to the internet

# Install Tailscale on your server
curl -fsSL https://tailscale.com/install.sh | sh

# Start and authenticate
sudo tailscale up

Install Tailscale on your phone too. Now you can access MoltBot from anywhere using the Tailscale IP, and it's completely invisible to the rest of the internet.

3.2 - Run in Docker with Limited Permissions

Containerize MoltBot so even if compromised, it can't access your whole system:

# docker-compose.yml example
version: '3'
services:
moltbot:
image: moltbot/moltbot
read_only: true
security_opt:
- no-new-privileges:true
user: "1000:1000"

3.3 - Enable Automatic Updates

Security patches are useless if you don't install them:

# Install unattended-upgrades
sudo apt install unattended-upgrades

# Enable automatic security updates
sudo dpkg-reconfigure -plow unattended-upgrades

🛡️ Security Checklist

Level 1 - Basic (Do Today):

☐ Ollama listening on localhost only

☐ Firewall enabled (UFW)

☐ SSH key authentication

☐ Strong passwords everywhere

Level 2 - Intermediate (Do This Week):

☐ Reverse proxy with HTTPS

☐ MoltBot authentication enabled

☐ Allowed users whitelist

☐ Non-default ports

Level 3 - Advanced (When Ready):

☐ Tailscale VPN

☐ Docker containerization

☐ Automatic security updates

☐ Regular log monitoring

🖥️ My Actual Security Setup

Here's exactly what I use:

Layer	What I Use
Remote Access	Tailscale (free)
Firewall	UFW - only SSH allowed
Authentication	SSH keys + MoltBot whitelist
Updates	Unattended-upgrades
Ollama	Localhost only (127.0.0.1)

With this setup, my AI server has been running for 6 months with zero security incidents. I sleep well at night. 😴

🚫 Mistakes I See People Making

Mistake: "I'll set up security later"

Bots scan the internet 24/7. Your exposed server will be found within hours, not days.

Mistake: Sharing screenshots with IP addresses

I've seen people post their terminal output on Reddit with their public IP visible. Don't do this.

Mistake: Using the same password everywhere

If one service gets hacked, they all do. Use a password manager.

Mistake: Ignoring "it works, don't touch it"

Security requires maintenance. Check for updates. Review logs occasionally.

📚 Want The Complete Security Deep-Dive?

I documented every security configuration, including advanced topics like fail2ban, intrusion detection, and secure remote access patterns in a 231-page guide.

Search on Amazon:

"MoltBot ClawdBot A.I Automation That Works"

📖 Get The Complete Guide on Amazon

Security doesn't have to be complicated. Start with Level 1 today, and work your way up.

Your future self will thank you for not getting hacked. 🔐

Stay safe out there. And remember: paranoia is just good security practice. 😉

AI Mastery Hub | Claude, Cowork, Automation & Artificial Intelligence