Changing Your OpenClaw Default Port: The Simplest Step Most People Skip

Port 8080 is public knowledge. It's OpenClaw's default, it's documented, and automated scanners on the internet probe it constantly. Right now, bots are crawling the internet looking for port 8080 on every IP address they can reach.

Changing your OpenClaw default port takes two minutes and blocks 99% of automated scanning attacks before they even start. It's not a complete security solution, but it's one of the simplest and highest-leverage steps in the entire hardening process.

---

Why Default Ports Are a Liability

Automated port scanners don't need to know who you are or where your server is. They scan entire IP ranges, probing for known ports. When they find port 8080 responding, they probe further — testing for known software running on that port, trying default credentials, looking for known vulnerabilities.

OpenClaw's default port is 8080. Every guide, YouTube video, and documentation page says this. That means anyone trying to find exposed OpenClaw instances starts with port 8080.

There are over 42,000 OpenClaw instances exposed on the public internet, most with default ports and no authentication. Your goal is to not be one of them.

---

The Unlisted Phone Number Analogy

Changing your port is like having an unlisted phone number. A determined attacker can still find you if they're specifically targeting you — they'll scan all 65,535 ports if they have to. But it completely eliminates the drive-by automated attacks that hit common, well-known ports.

99% of attacks are automated and opportunistic. They target known ports. If you're not on a known port, they move on.

---

Choosing a Good Port

Pick any number between 10000 and 65535. Avoid:

• Well-known ports: 8080, 8443, 3000, 3001, 8000, 8888 (common web app ports that scanners also probe)
• Very memorable numbers that a human might guess: 11111, 12345, 55555
• Ports used by other services you run

Generate something random:

# Generate a random port between 10000-65535
shuf -i 10000-65535 -n 1

Or just pick something arbitrary like 39217, 47832, or 52441. The randomness matters — don't use the examples in any security guide (including this one). Pick your own.

---

Editing openclaw.json: The Exact Config Change

Open your config:

nano ~/.openclaw/openclaw.json

Find the gateway section and update the port:

{
  "gateway": {
    "port": 39217,
    "bind": "loopback"
  }
}

Replace 39217 with your chosen port number.

While you're in the config, also confirm that "bind": "loopback" is set. This keeps the gateway bound to localhost only, not publicly accessible. The port change and the bind setting work together — the custom port blocks automated scanners, and the loopback bind ensures it's not publicly reachable anyway (if you're using Tailscale).

---

Restarting the Gateway

After saving the config:

openclaw gateway restart

Confirm it started successfully:

openclaw gateway status

If it shows as running, the port change is active.

---

Testing the Change

From your local machine (not the server), try to connect on the old port:

curl -s http://YOUR_SERVER_IP:8080 --max-time 5

This should time out or refuse connection. Then try your new port through Tailscale if configured, or directly if you have a reason to open the port. If the connection works on the new port and fails on the old one, the change is working.

---

UFW: Don't Open the New Port Unless Needed

If you're using Tailscale (which you should be), don't open the new port in UFW at all. Tailscale handles the encrypted tunnel. There's no reason to expose the port to the public internet.

# Check current UFW status
sudo ufw status

# If NOT using Tailscale and you need direct access
sudo ufw allow 39217/tcp

# If using Tailscale — leave the port closed in UFW
# Tailscale traffic bypasses UFW and the port doesn't need to be open

For Tailscale users: the port change reduces the scanner target, and Tailscale ensures the port isn't publicly reachable at all. Both layers protect you.

For non-Tailscale users: the port change is even more important since your server is publicly reachable. Combine it with UFW, SSH hardening, and Fail2ban.

---

What This Step Doesn't Do

Port randomization is a useful friction layer, not a security guarantee:

• A determined attacker who scans all ports will still find your service
• It doesn't replace proper authentication (gateway password + allowlist)
• It doesn't replace network isolation (Tailscale or UFW)
• It doesn't replace the other 12 steps in the hardening checklist

Think of it as the unlisted phone number: it keeps you off the default target list and blocks automated noise, but it's one layer among several. The two minutes it takes to implement make it worth doing on day one.

[→ See also: How to Set Up Tailscale with OpenClaw (Make Your Server Invisible to the Internet)] [→ See also: UFW Firewall Setup for OpenClaw: Close Every Port You Don't Need]

---

Key Takeaways

• Port 8080 is OpenClaw's default and is actively scanned by automated bots. Changing it takes two minutes.
• Pick any random number between 10000–65535. Don't use examples from guides — pick your own.
• Edit gateway.port in ~/.openclaw/openclaw.json and also confirm "bind": "loopback" is set.
• Restart the gateway after the change and verify the old port no longer responds.
• If using Tailscale, don't open the new port in UFW. Tailscale handles the tunnel and the port doesn't need to be publicly reachable.
• Port randomization blocks automated scanning. It doesn't replace authentication, Tailscale, or UFW — it complements them.