diff --git a/nix/modules/security.nix b/nix/modules/security.nix
index 4b607e8..5e5b30a 100644
--- a/nix/modules/security.nix
+++ b/nix/modules/security.nix
@@ -8,6 +8,7 @@
       PermitRootLogin = "no";                    # Disable root login
       PasswordAuthentication = false;            # Force SSH key auth only
       PubkeyAuthentication = true;               # Enable SSH keys
+      LogLevel = "VERBOSE";                      # More detailed logging, for fail2ban
     };
     ports = [ 22 ];
     # using the same key as for initrd
@@ -16,6 +17,27 @@
     ];
   };
 
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5; # Ban IP after 5 failures
+    ignoreIP = [
+
+    ];
+    bantime = "24h"; # Ban IPs for one day on the first ban
+    bantime-increment = {
+      enable = true; # Enable increment of bantime after each violation
+      multipliers = "1 2 3 4 5 6 7"; # everytime one day more
+      maxtime = "168h"; # Do not ban for more than 1 week
+      overalljails = true; # Calculate the bantime based on all the violations
+    };
+    
+    # fail2ban ships with a default sshd jail, we override it here, to be explicit
+    jails.sshd.settings = {
+      port = 22; # explicit
+      maxretry = 5;
+    };
+  };
+
   # remote unlock for luks via ssh
   boot.kernelParams = [ "ip=dhcp" ];
   boot.initrd = {