diff --git a/flake-modules/clan.nix b/flake-modules/clan.nix
index 706aa0f..f8b1293 100644
--- a/flake-modules/clan.nix
+++ b/flake-modules/clan.nix
@@ -126,6 +126,7 @@ in {
         clanHostsModule
         ../nixos/hosts/sunken-ship.nix
         config.flake.nixosModules.dotfiles-rebuild
+        config.flake.nixosModules.server-debug-tools
         inputs.home-manager.nixosModules.home-manager
         (hmModule {
           user = "danny";
@@ -165,6 +166,7 @@ in {
         inputs.nix-openclaw.nixosModules.openclaw-gateway
         ../nixos/hosts/phantom-ship.nix
         config.flake.nixosModules.dotfiles-rebuild
+        config.flake.nixosModules.server-debug-tools
         inputs.home-manager.nixosModules.home-manager
         (hmModule {
           user = "danny";
diff --git a/flake-modules/nixos-modules.nix b/flake-modules/nixos-modules.nix
index c982dd9..a466a58 100644
--- a/flake-modules/nixos-modules.nix
+++ b/flake-modules/nixos-modules.nix
@@ -4,4 +4,5 @@
 #   modules = [ config.flake.nixosModules.dotfiles-rebuild ];
 { ... }: {
   flake.nixosModules.dotfiles-rebuild = ../modules/dotfiles-rebuild.nix;
+  flake.nixosModules.server-debug-tools = ../modules/server-debug-tools.nix;
 }
diff --git a/modules/server-debug-tools.nix b/modules/server-debug-tools.nix
new file mode 100644
index 0000000..4d35198
--- /dev/null
+++ b/modules/server-debug-tools.nix
@@ -0,0 +1,15 @@
+# A small set of network/process debugging tools that we'd otherwise
+# pick up from `clan.core.enableRecommendedDefaults = true`. The full
+# clan defaults also flip systemd-networkd / systemd-resolved on, which
+# breaks dnsmasq + navidrome's resolv.conf bind-mount, so we opted out
+# fleet-wide and added just the useful packages explicitly here.
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    htop       # process monitor
+    tcpdump    # packet capture
+    dnsutils   # dig, nslookup, host
+    jq         # JSON parser
+    curl       # HTTP client
+  ];
+}
diff --git a/nixos/hosts/vps-relay.nix b/nixos/hosts/vps-relay.nix
index c5b19c8..f7bf7b0 100644
--- a/nixos/hosts/vps-relay.nix
+++ b/nixos/hosts/vps-relay.nix
@@ -70,6 +70,23 @@
   networking.firewall.enable = true;
   networking.firewall.allowedTCPPorts = [ 22 80 443 ];
 
+  # fail2ban — public SSH gets brute-force probed within minutes of any
+  # cloud VM being created. Ban offending IPs after a few failures.
+  services.fail2ban = {
+    enable = true;
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      multipliers = "1 4 16 64 256";  # 1h, 4h, 16h, ~2.7d, ~10.7d
+      maxtime = "30d";
+    };
+    jails.sshd.settings = {
+      enabled = true;
+      maxretry = 5;
+      findtime = "10m";
+    };
+  };
+
   # --- Caddy reverse proxy --------------------------------------------
   # Subdomains → clan backends over ZeroTier. IPs are sunken-ship's /
   # phantom-ship's ZT IPv6; brackets required in URLs.