diff --git a/configuration.nix b/configuration.nix
index 7a9a05e..87efe0f 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -11,6 +11,7 @@
     ./modules/services.nix
     ./modules/nginx.nix
     ./modules/matrix.nix
+    ./modules/fail2ban.nix
   ];
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
diff --git a/modules/fail2ban.nix b/modules/fail2ban.nix
new file mode 100644
index 0000000..5f0319e
--- /dev/null
+++ b/modules/fail2ban.nix
@@ -0,0 +1,72 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.fail2ban = {
+    enable = true;
+
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      maxtime = "168h";
+      factor = "4";
+    };
+
+    maxretry = 5;
+    findtime = "10m";
+
+    ignoreIP = [
+      "127.0.0.0/8"
+      "::1"
+      "100.64.0.0/10"
+    ];
+
+    jails = {
+      sshd = {
+        settings = {
+          enabled = true;
+          port = "22";
+          filter = "sshd[mode=aggressive]";
+          maxretry = 5;
+          findtime = "10m";
+          bantime = "1h";
+        };
+      };
+
+      nginx-botsearch = {
+        settings = {
+          enabled = true;
+          port = "http,https";
+          filter = "nginx-botsearch";
+          logpath = "/var/log/nginx/access.log";
+          maxretry = 5;
+          findtime = "10m";
+          bantime = "1h";
+        };
+      };
+
+      nginx-http-auth = {
+        settings = {
+          enabled = true;
+          port = "http,https";
+          filter = "nginx-http-auth";
+          logpath = "/var/log/nginx/error.log";
+          maxretry = 5;
+          findtime = "10m";
+          bantime = "1h";
+        };
+      };
+
+      nginx-bad-request = {
+        settings = {
+          enabled = true;
+          port = "http,https";
+          filter = "nginx-bad-request";
+          logpath = "/var/log/nginx/access.log";
+          maxretry = 15;
+          findtime = "10m";
+          bantime = "30m";
+        };
+      };
+    };
+  };
+}