Dev.to
6/22/2026

Hardening Unattended Raspberry Pi Edge Nodes: Watchdog, fail2ban, nftables, and the Mistakes That Take Down DNS
Short summary
Unattended Raspberry Pi edge nodes need active hardening to survive silent failures. The article details hardware watchdog timers for kernel deadlock recovery, fail2ban for SSH isolation, and a carefully-scoped nftables firewall that coexists with Docker without breaking container networking. Designed-for-failure infrastructure requires independent recovery paths, not passive uptime assumptions.
- •Hardware watchdog timer auto-reboots on kernel deadlock via systemd petting mechanism
- •fail2ban isolates SSH attack surface without risking DNS service via scoped filter rules
- •Custom nftables table design prevents conflicts with Docker's NAT rules through additive rule loading
Generated with AI, which can make mistakes.
Is this a good recommendation for you?


