diff --git a/docker/backoffice/etc/fail2ban/filter.d/nginx-conn-limit.conf b/docker/backoffice/etc/fail2ban/filter.d/nginx-conn-limit.conf
new file mode 100755
index 0000000000000000000000000000000000000000..7577dcad0eb24c473c3952f87050e114e22c84a0
--- /dev/null
+++ b/docker/backoffice/etc/fail2ban/filter.d/nginx-conn-limit.conf
@@ -0,0 +1,2 @@
+[Definition]
+failregex = limiting connections by zone.*client: <HOST>
diff --git a/docker/backoffice/etc/fail2ban/filter.d/nginx-http-auth.conf b/docker/backoffice/etc/fail2ban/filter.d/nginx-http-auth.conf
new file mode 100755
index 0000000000000000000000000000000000000000..60e256dae59c0a5ff95e47929f36421ae01f322e
--- /dev/null
+++ b/docker/backoffice/etc/fail2ban/filter.d/nginx-http-auth.conf
@@ -0,0 +1,3 @@
+[Definition]
+failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
+ignoreregex =
diff --git a/docker/backoffice/etc/fail2ban/filter.d/nginx-req-limit.conf b/docker/backoffice/etc/fail2ban/filter.d/nginx-req-limit.conf
new file mode 100755
index 0000000000000000000000000000000000000000..94a990dc8bfb199350cd30d8defb5df213175cf7
--- /dev/null
+++ b/docker/backoffice/etc/fail2ban/filter.d/nginx-req-limit.conf
@@ -0,0 +1,2 @@
+[Definition]
+failregex = limiting requests, excess:.* by zone.*client: <HOST>
diff --git a/docker/backoffice/etc/fail2ban/jail.d/nginx.conf b/docker/backoffice/etc/fail2ban/jail.d/nginx.conf
new file mode 100755
index 0000000000000000000000000000000000000000..3bc13effa226c98cbfc1618180458ac6c560e214
--- /dev/null
+++ b/docker/backoffice/etc/fail2ban/jail.d/nginx.conf
@@ -0,0 +1,22 @@
+[sshd]
+enabled = false
+
+[nginx-req-limit]
+enabled = true
+filter = nginx-req-limit
+action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
+port = http,https
+logpath = /var/log/nginx/error.log
+findtime = 600
+bantime = 7200
+maxretry = 10
+
+[nginx-conn-limit]
+enabled = true
+filter = nginx-conn-limit
+action = iptables-multiport[name=ConnLimit, port="http,https", protocol=tcp]
+port = http,https
+logpath = /var/log/nginx/error.log
+findtime = 300
+bantime = 7200
+maxretry = 100
diff --git a/docker/dockerfile_web b/docker/dockerfile_web
index b0b136799ac4b2713132afc2d8b373e5961b4c2a..724cf837fb9d2eba93356e9e2fb7201c51b96563 100644
--- a/docker/dockerfile_web
+++ b/docker/dockerfile_web
@@ -28,6 +28,7 @@ RUN apt-get update && apt-get -y install \
                                  cron \
                                  rsyslog \
                                  logrotate \
+                                 fail2ban \
                                  iptables \
                                  git \
                                  dnsutils
@@ -43,5 +44,6 @@ RUN git clone -b ${TREFLE_OLD_VERSION} ${TREFLE_GIT} /srv/trefle-old && \
     chown -R www-data: /srv/trefle-old && \
     chmod -R u+rwx /srv/trefle-old
 
-CMD service nginx start; \
+CMD service fail2ban start; \
+    service nginx start; \
     cron -f