diff --git a/hosts/common/default.nix b/hosts/common/default.nix
index 3c58b4a..55f3421 100644
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -16,6 +16,7 @@ in {
     inputs.impermanence.nixosModules.impermanence
     inputs.home-manager.nixosModules.home-manager
 
+    ../../modules/nixos/fail2ban.nix
     ../../modules/nixos/sops.nix
   ];
 
diff --git a/modules/nixos/fail2ban.nix b/modules/nixos/fail2ban.nix
new file mode 100644
index 0000000..802e938
--- /dev/null
+++ b/modules/nixos/fail2ban.nix
@@ -0,0 +1,32 @@
+{config, ...}: let
+  isFirewallEnabled = config.networking.firewall.enable;
+in {
+  services.fail2ban = {
+    enable = isFirewallEnabled;
+    maxretry = 5;
+    banaction = "iptables-multiport[blocktype=DROP]";
+    ignoreIP = [
+      "127.0.0.0/8"
+      "10.0.0.0/8"
+      "192.168.0.0/16"
+    ];
+    bantime = "24h";
+
+    bantime-increment = {
+      enable = true;
+      rndtime = "12m";
+      overalljails = true;
+      multipliers = "4 8 16 32 64 128 256 512 1024 2048";
+      maxtime = "192h";
+    };
+
+    jails = {
+      sshd.settings = {
+        enabled = true;
+        port = toString config.services.openssh.ports;
+        mode = "aggressive";
+        filter = "sshd";
+      };
+    };
+  };
+}