diff --git a/ansible/roles/base/files/fail2ban-logrotate b/ansible/roles/base/files/fail2ban-logrotate
new file mode 100644
index 0000000..ad9bfcc
--- /dev/null
+++ b/ansible/roles/base/files/fail2ban-logrotate
@@ -0,0 +1,11 @@
+/var/log/fail2ban.log {
+  weekly
+  rotate 7
+  missingok
+  compress
+  nodateext
+  notifempty
+  postrotate
+    /usr/bin/fail2ban-client flushlogs 1>/dev/null || true
+  endscript
+}
diff --git a/ansible/roles/base/files/ssh-jail.conf b/ansible/roles/base/files/ssh-jail.conf
new file mode 100644
index 0000000..f64b9a2
--- /dev/null
+++ b/ansible/roles/base/files/ssh-jail.conf
@@ -0,0 +1,7 @@
+[sshd]
+enabled  = true
+bantime  = 600
+findtime = 30
+maxretry = 5
+port     = {{ ssh_port }},ssh
+ignoreip = {{ wireguard.cidr }}
diff --git a/ansible/roles/base/files/sshd_config b/ansible/roles/base/files/sshd_config
index 1f79539..9b33b71 100644
--- a/ansible/roles/base/files/sshd_config
+++ b/ansible/roles/base/files/sshd_config
@@ -1,6 +1,6 @@
 # TCP port to bind to
 # Change to a high/odd port if this server is exposed to the internet directly
-Port 7743
+Port {{ ssh_port }}
 
 {% if expose_ssh %}
 AllowUsers {{ user }}
diff --git a/ansible/roles/base/tasks/fail2ban.yml b/ansible/roles/base/tasks/fail2ban.yml
new file mode 100644
index 0000000..0d89ee3
--- /dev/null
+++ b/ansible/roles/base/tasks/fail2ban.yml
@@ -0,0 +1,25 @@
+- name: Install fail2ban
+  package:
+    name: fail2ban
+  become: true
+
+- name: Enable fail2ban
+  service:
+    name: fail2ban
+    enabled: true
+  become: true
+
+- name: fail2ban SSH jail
+  template:
+    src: files/ssh-jail.conf
+    dest: /etc/fail2ban/jail.d/ssh.conf
+    mode: "0600"
+  become: true
+  register: fail2ban_jail
+
+- name: Restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted
+  become: true
+  when: fail2ban_jail.changed
diff --git a/ansible/roles/base/tasks/logrotate.yml b/ansible/roles/base/tasks/logrotate.yml
new file mode 100644
index 0000000..66f4e55
--- /dev/null
+++ b/ansible/roles/base/tasks/logrotate.yml
@@ -0,0 +1,18 @@
+- name: Install logrotate
+  package:
+    name: logrotate
+  become: true
+
+- name: Enable logrotate timer
+  service:
+    name: logrotate.timer
+  become: true
+  when: ansible_os_family == 'Archlinux'
+
+- name: logrotate fail2ban config
+  template:
+    src: files/fail2ban-logrotate
+    dest: /etc/logrotate.d/fail2ban
+    mode: "0600"
+  become: true
+  register: fail2ban_jail
diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml
index 1aceee3..5eae83b 100644
--- a/ansible/roles/base/tasks/main.yml
+++ b/ansible/roles/base/tasks/main.yml
@@ -6,3 +6,9 @@
 
 - name: SSH
   include: ssh.yml
+
+- name: fail2ban
+  include: fail2ban.yml
+
+- name: logrotate
+  include: logrotate.yml
diff --git a/ansible/roles/base/vars/main.yml b/ansible/roles/base/vars/main.yml
new file mode 100644
index 0000000..df90549
--- /dev/null
+++ b/ansible/roles/base/vars/main.yml
@@ -0,0 +1 @@
+ssh_port: 7743
diff --git a/ansible/roles/gateway/tasks/fail2ban.yml b/ansible/roles/gateway/tasks/fail2ban.yml
index 3608810..e9b1246 100644
--- a/ansible/roles/gateway/tasks/fail2ban.yml
+++ b/ansible/roles/gateway/tasks/fail2ban.yml
@@ -1,8 +1,3 @@
-- name: Install fail2ban
-  package:
-    name: fail2ban
-  become: true
-
 - name: fail2ban filter
   template:
     src: files/haproxy-fail2ban-filter.conf