diff --git a/configs/nixos/fail2ban.nix b/configs/nixos/fail2ban.nix
new file mode 100644
index 0000000..da60106
--- /dev/null
+++ b/configs/nixos/fail2ban.nix
@@ -0,0 +1,16 @@
+{
+  config,
+  pkgs,
+  inputs,
+  lib,
+  myLib,
+  ...
+}: {
+  services.fail2ban = {
+    enable = true;
+    bantime-increment.enable = true;
+    bantime-increment.maxtime = "1w";
+    extraPackages = [pkgs.ipset];
+    banaction = "iptables-ipset-proto6-allports";
+  };
+}
diff --git a/configs/nixos/sshd.nix b/configs/nixos/sshd.nix
index e91be82..5dd4c45 100644
--- a/configs/nixos/sshd.nix
+++ b/configs/nixos/sshd.nix
@@ -6,6 +6,9 @@
   myLib,
   ...
 }: {
+  imports = [
+    ./fail2ban.nix
+  ];
   services.openssh = {
     enable = true;
     settings.PermitRootLogin = "prohibit-password";