diff --git a/hosts/hyp-01/default.nix b/hosts/hyp-01/default.nix
index fb4ed38..9c9d0aa 100644
--- a/hosts/hyp-01/default.nix
+++ b/hosts/hyp-01/default.nix
@@ -17,6 +17,7 @@
 
     ./modules/boot.nix
     ./modules/disko.nix
+    ./modules/fail2ban.nix
     ./modules/impermanence.nix
     ./modules/networking.nix
     ./modules/users.nix
diff --git a/hosts/hyp-01/modules/fail2ban.nix b/hosts/hyp-01/modules/fail2ban.nix
new file mode 100644
index 0000000..0f442be
--- /dev/null
+++ b/hosts/hyp-01/modules/fail2ban.nix
@@ -0,0 +1,23 @@
+{ pkgs, ... }:
+{
+  environment.etc = {
+    "fail2ban/filter.d/nginx-bruteforce.conf".text = ''
+      [Definition]
+      failregex = ^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$
+    '';
+  };
+
+  services.fail2ban = {
+    enable = true;
+
+    ignoreIP = [
+      "100.64.0.0/24" # tailnet
+    ];
+
+    maxretry = 3;
+    bantime = "2h";
+
+    extraPackages = [ pkgs.ipset ];
+    banaction = "iptables-ipset-proto6-allports";
+  };
+}