diff --git a/sys/machines/rackserv/default.nix b/sys/machines/rackserv/default.nix
index e9d5756..7729507 100644
--- a/sys/machines/rackserv/default.nix
+++ b/sys/machines/rackserv/default.nix
@@ -1,10 +1,6 @@
 {
-  lib,
-  pkgs,
   inputs,
   systemProfiles,
-  specialArgs,
-  self,
   ...
 }: {
   imports =
@@ -13,6 +9,7 @@
       inputs.impermanence.nixosModules.impermanence
       inputs.disko.nixosModules.disko
       ./disk-config.nix
+      ./fail2ban.nix
     ]
     ++ (map (x: systemProfiles + x) [
       /core/security.nix
diff --git a/sys/machines/rackserv/fail2ban.nix b/sys/machines/rackserv/fail2ban.nix
new file mode 100644
index 0000000..644b181
--- /dev/null
+++ b/sys/machines/rackserv/fail2ban.nix
@@ -0,0 +1,12 @@
+{
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = ["100.64.0.0/10"]; # tailscale
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      maxtime = "168h";
+      factor = "4";
+    };
+  };
+}