Server Meltdown: How Bots Crashed My AI Tools and What I Did About It

Published: January 23, 2026

I setup a shiny new shared server to host my shiny new AI tools. Few weeks later the server melted. All my tools went phut.

I had disabled password login, setup SSH keys only. But bots don't know what auth method you're using - they just keep trying. Thousands of login attempts...CPU maxed out...server collapsed.

That was nearly two years back. I came from a world of analytics, dashboards and ML models - this was like a new universe.

AI (Cursor & ChatGPT that time) helped me understand what is happening and how to fix it.

I had fail2ban running at backend. But settings were too gentle.

fail2ban works like this - somebody tries to login and fails we can put them into an IP Jail. But the jail settings make all the difference.

The old setting I don't remember now, but in the new one I set maxretry at 5. Means after 5 failed attempts, they get banned. But banned for how long? That's where findtime and bantime come in.

findtime is the window - I set it at 3600 seconds (one hour). So if you mess up 5 times within that one hour window, you go to jail.

bantime is how long you sit in my jail - I set it at 86400 seconds. That's 24 hours ban. Full day.

Why 5 attempts and not 1 or 2? Because I might fat-finger SSH attempt myself. Wrong key file, typo when connecting from terminal - those things happen right? I don't want to lock myself out on one mistake. 5 gives me decent margin. But bots hit that limit in seconds anyway.

My jail stats from last week:

• Currently banned: 157 IPs
• Total banned: 1,223 IPs (one week since last restart)
• Failed attempts blocked: 6,082
• Server running fine now.

Was that the only mistake I made? I made 17 more that I recall. Read it here. With the fixes.

2026 Infra Guide Part 3: The 18 Common Security Mistakes and How to Fix Them

Today I run multi level defenses for client tools - OAuth, proxies, rate limits, API keys.

And before I release anything to a client, two mandatory checks: Browser F12 -> Console, Network, Application tabs to see what's exposed. Second, I ask Claude Code to do a Security Audit and identify all attack vectors. Almost always, I have missed something. Fix it.