From 52f0308f1a24ff2ab207ecbb0870291c0eb1c5b4 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Tue, 3 Mar 2026 08:29:33 -0800 Subject: [PATCH] Fix fail2ban crash: disable default sshd jail, make non-fatal MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Alpine's fail2ban ships with sshd jail enabled by default. Since there's no SSH server in the Fly.io container, fail2ban exits with an error looking for sshd logs — crashing the container via set -e. Disable the sshd jail explicitly and make fail2ban startup non-fatal since nginx rate limiting is the primary defense. Co-Authored-By: Claude Opus 4.6 --- fly/fail2ban/jail.d/forge.conf | 4 ++++ fly/start.sh | 10 +++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/fly/fail2ban/jail.d/forge.conf b/fly/fail2ban/jail.d/forge.conf index 7b0843f..50908b3 100644 --- a/fly/fail2ban/jail.d/forge.conf +++ b/fly/fail2ban/jail.d/forge.conf @@ -1,3 +1,7 @@ +# Disable the default sshd jail — no SSH server in this container +[sshd] +enabled = false + [forge-login] enabled = true filter = forge-login diff --git a/fly/start.sh b/fly/start.sh index 2ec7c48..5ec45db 100644 --- a/fly/start.sh +++ b/fly/start.sh @@ -20,9 +20,13 @@ nginx -g "daemon off;" & NGINX_PID=$! echo "Nginx started" -# Start fail2ban for login brute-force protection -fail2ban-server -b -echo "fail2ban started" +# Start fail2ban for login brute-force protection. +# Non-fatal — nginx rate limiting is the primary defense; fail2ban is additive. +if fail2ban-server -b; then + echo "fail2ban started" +else + echo "WARNING: fail2ban failed to start (nginx rate limiting still active)" +fi # Start Alloy for observability (logs → Loki, metrics → Prometheus) alloy run /etc/alloy/config.alloy \