---
title: "Server Meltdown: How Bots Crashed My AI Tools and What I Did About It"
slug: fail2ban-server-security-bots-ai-tools
date_published: 2026-01-23T10:00:00.000Z
original_url: https://www.tigzig.com/post/fail2ban-server-security-bots-ai-tools
source: fresh
processed_at: 2026-01-23T10:00:00.000Z
feature_image: /images/blog/fail2ban.png
---

# Server Meltdown: How Bots Crashed My AI Tools and What I Did About It

I setup a shiny new shared server to host my shiny new AI tools. Few weeks later the server melted. All my tools went phut.

I had disabled password login, setup SSH keys only. But bots don't know what auth method you're using - they just keep trying. Thousands of login attempts...CPU maxed out...server collapsed.

That was nearly two years back. I came from a world of analytics, dashboards and ML models - this was like a new universe.

AI (Cursor & ChatGPT that time) helped me understand what is happening and how to fix it.

I had fail2ban running at backend. But settings were too gentle.

fail2ban works like this - somebody tries to login and fails we can put them into an IP Jail. But the jail settings make all the difference.

The old setting I don't remember now, but in the new one I set maxretry at 5. Means after 5 failed attempts, they get banned. But banned for how long? That's where findtime and bantime come in.

findtime is the window - I set it at 3600 seconds (one hour). So if you mess up 5 times within that one hour window, you go to jail.

bantime is how long you sit in my jail - I set it at 86400 seconds. That's 24 hours ban. Full day.

Why 5 attempts and not 1 or 2? Because I might fat-finger SSH attempt myself. Wrong key file, typo when connecting from terminal - those things happen right? I don't want to lock myself out on one mistake. 5 gives me decent margin. But bots hit that limit in seconds anyway.

My jail stats from last week:
- Currently banned: 157 IPs
- Total banned: 1,223 IPs (one week since last restart)
- Failed attempts blocked: 6,082
- Server running fine now.

Was that the only mistake I made? I made 17 more that I recall. Read it here. With the fixes.

[2026 Infra Guide Part 3: The 18 Common Security Mistakes and How to Fix Them](/post/2026-infra-guide-part-3-security-mistakes)

Today I run multi level defenses for client tools - OAuth, proxies, rate limits, API keys.

And before I release anything to a client, two mandatory checks: Browser F12 -> Console, Network, Application tabs to see what's exposed. Second, I ask Claude Code to do a Security Audit and identify all attack vectors. Almost always, I have missed something. Fix it.