I Was Terrified of Hackers Breaking Into My AI Server Until I Learned These Security Steps - Complete MoltBot Security Guide 2026
π
I Was Terrified of Hackers Breaking Into My AI Server
How I Secured My MoltBot Setup Without Being a Security Expert
π‘️ 16 min read • Security Guide • February 2026
Let me tell you about the nightmare that kept me awake: I had just set up MoltBot on my home server, everything was working perfectly, and then I read a Reddit post about someone's self-hosted AI getting hijacked.
My stomach dropped.
I had opened port 11434 to the internet. I had no firewall rules. I was basically running a "please hack me" sign on my network.
Sound familiar? If you've set up MoltBot or ClawdBot and you're worried about security, this guide is for you. I spent two weeks learning everything I could about securing self-hosted AI, and I'm sharing it all here.
π° The Real Risks (Let's Be Honest)
Before we fix anything, let's understand what we're actually protecting against:
Risk #1: Unauthorized Access
Someone finds your open Ollama port and uses your computer to run their own AI queries. Your electricity bill goes up, your computer slows down.
Risk #2: Data Exposure
If your MoltBot has access to your files, an attacker could potentially read them through the AI interface.
Risk #3: Network Pivot
Your AI server becomes an entry point to attack other devices on your home network.
Risk #4: Crypto Mining
Attackers install mining software on your machine. Your GPU works for them while you pay the electricity.
Okay, now that we're properly scared, let's fix everything. π
π’ Level 1: Basic Security (Everyone Should Do This)
These steps take 10 minutes and block 90% of attacks.
1.1 - Never Expose Ollama Directly to Internet
By default, Ollama only listens on localhost (127.0.0.1). Keep it that way.
❌ NEVER do this:
OLLAMA_HOST=0.0.0.0:11434
This exposes Ollama to your entire network and potentially the internet.
✅ Keep it like this:
OLLAMA_HOST=127.0.0.1:11434
Only your local machine can access Ollama. MoltBot connects locally.
1.2 - Enable the Firewall
If you're on Linux (which most servers use), enable UFW:
# Install UFW if not present
sudo apt install ufw
# Allow SSH (so you don't lock yourself out!)
sudo ufw allow ssh
# Enable the firewall
sudo ufw enable
# Check status
sudo ufw status
That's it. Your server now blocks all incoming connections except SSH.
1.3 - Use Strong Passwords / SSH Keys
If you're accessing your server via SSH, disable password login and use keys:
# On your local computer, generate a key
ssh-keygen -t ed25519
# Copy it to your server
ssh-copy-id user@your-server-ip
# Then on the server, disable password login
sudo nano /etc/ssh/sshd_config
# Find and change: PasswordAuthentication no
sudo systemctl restart sshd
π‘ Level 2: Intermediate Security (Recommended)
If you want to access MoltBot from outside your home (like from your phone), do these steps.
2.1 - Use a Reverse Proxy with HTTPS
Instead of exposing ports directly, use Caddy as a reverse proxy. It automatically handles HTTPS certificates.
# Install Caddy
sudo apt install caddy
# Edit Caddy config
sudo nano /etc/caddy/Caddyfile
Add this configuration (replace with your domain):
yourdomain.com {
reverse_proxy localhost:3000
}
Caddy will automatically get an SSL certificate. All traffic is now encrypted.
2.2 - Add Authentication to MoltBot
In your MoltBot .env file, enable authentication:
# Enable authentication
AUTH_ENABLED=true
# Generate a random token (use a password generator)
AUTH_TOKEN=your-super-secret-random-token-here
# Limit which Telegram users can use the bot
ALLOWED_USERS=123456789,987654321
How to find your Telegram user ID: Message @userinfobot on Telegram. It will tell you your ID.
2.3 - Change Default Ports
Automated scanners look for default ports. Changing them adds a layer of obscurity:
# In your .env, use a non-standard port
PORT=47291
# Update firewall to allow only this port
sudo ufw allow 47291/tcp
π΄ Level 3: Advanced Security (For the Paranoid)
These are extra steps for maximum protection.
3.1 - Use a VPN (Tailscale)
The safest option: don't expose anything to the internet. Use Tailscale to create a private network.
Why Tailscale is amazing:
- Free for personal use (up to 100 devices)
- Works through firewalls and NAT
- End-to-end encrypted
- Your server is invisible to the internet
# Install Tailscale on your server
curl -fsSL https://tailscale.com/install.sh | sh
# Start and authenticate
sudo tailscale up
Install Tailscale on your phone too. Now you can access MoltBot from anywhere using the Tailscale IP, and it's completely invisible to the rest of the internet.
3.2 - Run in Docker with Limited Permissions
Containerize MoltBot so even if compromised, it can't access your whole system:
# docker-compose.yml example
version: '3'
services:
moltbot:
image: moltbot/moltbot
read_only: true
security_opt:
- no-new-privileges:true
user: "1000:1000"
3.3 - Enable Automatic Updates
Security patches are useless if you don't install them:
# Install unattended-upgrades
sudo apt install unattended-upgrades
# Enable automatic security updates
sudo dpkg-reconfigure -plow unattended-upgrades
π‘️ Security Checklist
Level 1 - Basic (Do Today):
☐ Ollama listening on localhost only
☐ Firewall enabled (UFW)
☐ SSH key authentication
☐ Strong passwords everywhere
Level 2 - Intermediate (Do This Week):
☐ Reverse proxy with HTTPS
☐ MoltBot authentication enabled
☐ Allowed users whitelist
☐ Non-default ports
Level 3 - Advanced (When Ready):
☐ Tailscale VPN
☐ Docker containerization
☐ Automatic security updates
☐ Regular log monitoring
π₯️ My Actual Security Setup
Here's exactly what I use:
| Layer | What I Use |
|---|---|
| Remote Access | Tailscale (free) |
| Firewall | UFW - only SSH allowed |
| Authentication | SSH keys + MoltBot whitelist |
| Updates | Unattended-upgrades |
| Ollama | Localhost only (127.0.0.1) |
With this setup, my AI server has been running for 6 months with zero security incidents. I sleep well at night. π΄
π« Mistakes I See People Making
Mistake: "I'll set up security later"
Bots scan the internet 24/7. Your exposed server will be found within hours, not days.
Mistake: Sharing screenshots with IP addresses
I've seen people post their terminal output on Reddit with their public IP visible. Don't do this.
Mistake: Using the same password everywhere
If one service gets hacked, they all do. Use a password manager.
Mistake: Ignoring "it works, don't touch it"
Security requires maintenance. Check for updates. Review logs occasionally.
π Want The Complete Security Deep-Dive?
I documented every security configuration, including advanced topics like fail2ban, intrusion detection, and secure remote access patterns in a 231-page guide.
Search on Amazon:
"MoltBot ClawdBot A.I Automation That Works"
Security doesn't have to be complicated. Start with Level 1 today, and work your way up.
Your future self will thank you for not getting hacked. π
Stay safe out there. And remember: paranoia is just good security practice. π