diff --git a/fly/fail2ban/jail.d/forge.conf b/fly/fail2ban/jail.d/forge.conf
index 7b0843f..50908b3 100644
--- a/fly/fail2ban/jail.d/forge.conf
+++ b/fly/fail2ban/jail.d/forge.conf
@@ -1,3 +1,7 @@
+# Disable the default sshd jail — no SSH server in this container
+[sshd]
+enabled = false
+
 [forge-login]
 enabled  = true
 filter   = forge-login
diff --git a/fly/start.sh b/fly/start.sh
index 2ec7c48..5ec45db 100644
--- a/fly/start.sh
+++ b/fly/start.sh
@@ -20,9 +20,13 @@ nginx -g "daemon off;" &
 NGINX_PID=$!
 echo "Nginx started"
 
-# Start fail2ban for login brute-force protection
-fail2ban-server -b
-echo "fail2ban started"
+# Start fail2ban for login brute-force protection.
+# Non-fatal — nginx rate limiting is the primary defense; fail2ban is additive.
+if fail2ban-server -b; then
+    echo "fail2ban started"
+else
+    echo "WARNING: fail2ban failed to start (nginx rate limiting still active)"
+fi
 
 # Start Alloy for observability (logs → Loki, metrics → Prometheus)
 alloy run /etc/alloy/config.alloy \