diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index 2e8fa6cc7a46824fefb6df6e46bd2d01767512e8..452daa732ef7a77b7544c664fb9f444cea19b68f 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -46,3 +46,4 @@
 # ssh proxy
   enable_ssh_proxy_config: false
   sshpiper_dest_dir: "/opt/sshpiper"
+  fail2ban_cidr_list: "127.0.0.1/8"
diff --git a/ansible/roles/ssh_proxy_config/tasks/main.yml b/ansible/roles/ssh_proxy_config/tasks/main.yml
index d3ec3bd59c405a5d1e4c0c85cab45ec9d8c6b9ca..fb51f9fe65cedd2993af4199eff9e04f8c1c1b2a 100644
--- a/ansible/roles/ssh_proxy_config/tasks/main.yml
+++ b/ansible/roles/ssh_proxy_config/tasks/main.yml
@@ -11,3 +11,44 @@
     enabled: true
     state: restarted
 
+- name: Install firewalld
+  ansible.builtin.package:
+    name: firewalld
+    state: present
+
+- name: Configure firewalld
+  ansible.posix.firewalld:
+    port: 2222/tcp
+    zone: public
+    state: enabled
+    permanent: true
+
+- name: Enable and start firewalld
+  ansible.builtin.service:
+    name: firewalld
+    enabled: true
+    state: restarted
+
+- name: Install fail2ban
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - fail2ban
+    - fail2ban-firewalld
+
+- name: Configure fail2ban
+  ansible.builtin.template:
+    src: jail.local.j2
+    dest: "/etc/fail2ban/jail.local"
+    backup: true
+
+- name: Activate the firewall support
+  ansible.builtin.command:
+    cmd: mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
+
+- name: Enable and start fail2ban
+  ansible.builtin.service:
+    name: fail2ban
+    enabled: true
+    state: restarted
diff --git a/ansible/roles/ssh_proxy_config/templates/jail.local.j2 b/ansible/roles/ssh_proxy_config/templates/jail.local.j2
new file mode 100644
index 0000000000000000000000000000000000000000..d5898e63b7cbb1046ac28d59062b1ede7d148809
--- /dev/null
+++ b/ansible/roles/ssh_proxy_config/templates/jail.local.j2
@@ -0,0 +1,7 @@
+[DEFAULT]
+banaction = firewalld
+bantime  = 1200
+ignoreip = {{ fail2ban_cidr_list }}
+
+[sshd]
+enabled = true