Fix fail2ban crash: disable default sshd jail, make non-fatal

Alpine's fail2ban ships with sshd jail enabled by default. Since there's no SSH server in the Fly.io container, fail2ban exits with an error looking for sshd logs — crashing the container via set -e. Disable the sshd jail explicitly and make fail2ban startup non-fatal since nginx rate limiting is the primary defense. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 08:29:33 -08:00 · 2026-03-03 08:29:33 -08:00 · 52f0308f1a
commit 52f0308f1a
parent dbfe7365d8
2 changed files with 11 additions and 3 deletions
--- a/fly/fail2ban/jail.d/forge.conf
+++ b/fly/fail2ban/jail.d/forge.conf
@ -1,3 +1,7 @@
+# Disable the default sshd jail — no SSH server in this container
+[sshd]
+enabled = false
+
 [forge-login]
 enabled  = true
 filter   = forge-login
--- a/fly/start.sh
+++ b/fly/start.sh
@ -20,9 +20,13 @@ nginx -g "daemon off;" &
 NGINX_PID=$!
 echo "Nginx started"

-# Start fail2ban for login brute-force protection
-fail2ban-server -b
-echo "fail2ban started"
+# Start fail2ban for login brute-force protection.
+# Non-fatal — nginx rate limiting is the primary defense; fail2ban is additive.
+if fail2ban-server -b; then
+    echo "fail2ban started"
+else
+    echo "WARNING: fail2ban failed to start (nginx rate limiting still active)"
+fi

 # Start Alloy for observability (logs → Loki, metrics → Prometheus)
 alloy run /etc/alloy/config.alloy \