diff --git a/.vscode/tasks.json b/.vscode/tasks.json
index 0bd6aa4..fa8920d 100644
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -70,6 +70,16 @@
             "panel": "dedicated"
         }
     },
+    {
+        "label": "Deploy: fail2ban-ingress",
+        "type": "shell",
+        "command": "make deploy-fail2ban-ingress",
+        "group": "build",
+        "presentation": {
+            "reveal": "always",
+            "panel": "dedicated"
+        }
+    },
     {
         "label": "Deploy: mail",
         "type": "shell",
diff --git a/playbooks/fail2ban-ingress/fail2ban-ingress.yml b/playbooks/fail2ban-ingress/fail2ban-ingress.yml
index 34e3992..206a444 100644
--- a/playbooks/fail2ban-ingress/fail2ban-ingress.yml
+++ b/playbooks/fail2ban-ingress/fail2ban-ingress.yml
@@ -13,6 +13,31 @@
         name: fail2forward
         create_home: true
 
+    - name: Create .ssh
+      ansible.builtin.file:
+        name: /home/fail2forward/.ssh
+        owner: fail2forward
+        group: fail2forward
+        state: directory
+        mode: '0655'
+
+    - name: Create authorized_keys
+      ansible.builtin.copy:
+        content: "command=\"/usr/local/bin/fail2forward\",no-pty,no-agent-forwarding,no-X11-forwarding,no-port-forwarding,restrict \
+                  {{ lookup('ansible.builtin.file', '../fail2ban/fail2forward_id_rsa.pub') }}"
+        owner: fail2forward
+        group: fail2forward
+        dest: /home/fail2forward/.ssh/authorized_keys
+        mode: '0644'
+
+    - name: Copy fail2forward script
+      ansible.builtin.template:
+        src: fail2forward.j2
+        dest: /usr/local/bin/fail2forward
+        owner: root
+        group: root
+        mode: '0755'
+
     - name: Copy jail.local
       ansible.builtin.template:
         src: jail.local.j2
@@ -20,9 +45,7 @@
         owner: root
         group: root
         mode: '0644'
-      notify: Restart fail2ban
 
-  handlers:
     - name: Restart fail2ban
       ansible.builtin.service:
         name: fail2ban
diff --git a/playbooks/fail2ban-ingress/fail2forward.j2 b/playbooks/fail2ban-ingress/fail2forward.j2
new file mode 100644
index 0000000..eb17879
--- /dev/null
+++ b/playbooks/fail2ban-ingress/fail2forward.j2
@@ -0,0 +1,17 @@
+#!/bin/bash
+set -euo pipefail
+case "$SSH_ORIGINAL_COMMAND" in
+  "ban "*)
+    ip="${SSH_ORIGINAL_COMMAND#ban }"
+    [[ "$ip" =~ ^[0-9.]+$|^[0-9a-fA-F:]+$ ]] || { echo "bad ip"; exit 1; }
+    exec fail2ban-client set sshd banip "$ip"
+    ;;
+  "unban "*)
+    ip="${SSH_ORIGINAL_COMMAND#unban }"
+    [[ "$ip" =~ ^[0-9.]+$|^[0-9a-fA-F:]+$ ]] || { echo "bad ip"; exit 1; }
+    exec fail2ban-client set sshd unbanip "$ip"
+    ;;
+  *)
+    echo "denied" >&2; exit 1
+    ;;
+esac
\ No newline at end of file
diff --git a/playbooks/fail2ban-ingress/jail.local.j2 b/playbooks/fail2ban-ingress/jail.local.j2
index 6f19ec6..367e3a7 100644
--- a/playbooks/fail2ban-ingress/jail.local.j2
+++ b/playbooks/fail2ban-ingress/jail.local.j2
@@ -8,20 +8,5 @@ bantime.multipliers = 1 5 30 60 300 720 1440 2880
 
 [sshd]
 enabled = true
-port    = ssh,2222,4444
-
-[nginx-http-auth]
-enabled = true
-
-[nginx-limit-req]
-enabled = true
-
-[postfix]
-enabled  = true
-port     = smtp,submission
-logpath  = /opt/beeserver/mail/mail-logs/mail.log
-
-[dovecot]
-enabled  = true
-port     = imaps,pop3s
-logpath  = /opt/beeserver/mail/mail-logs/mail.log
\ No newline at end of file
+port    = ssh
+backend = systemd
\ No newline at end of file
diff --git a/playbooks/fail2ban/fail2ban.yml b/playbooks/fail2ban/fail2ban.yml
index cb28ab6..3e213be 100644
--- a/playbooks/fail2ban/fail2ban.yml
+++ b/playbooks/fail2ban/fail2ban.yml
@@ -36,9 +36,15 @@
         owner: root
         group: root
         mode: '0644'
-      notify: Restart fail2ban
 
-  handlers:
+    - name: Copy forward.conf
+      ansible.builtin.template:
+        src: forward.conf.j2
+        dest: /etc/fail2ban/action.d/forward.conf
+        owner: root
+        group: root
+        mode: '0644'
+
     - name: Restart fail2ban
       ansible.builtin.service:
         name: fail2ban
diff --git a/playbooks/fail2ban/fail2forward_id_rsa.pub b/playbooks/fail2ban/fail2forward_id_rsa.pub
new file mode 100644
index 0000000..b907eae
--- /dev/null
+++ b/playbooks/fail2ban/fail2forward_id_rsa.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpbmyeKy5UjpTrLJk/QYzagg4MHfBV0/wPsAicn9jzxiK3Pqtn4zTCLchBis5Cfoc1aQCqUSp3X6CCjO5FIU0uaMAQPrZneecpSyDbNGkJuUM7JE2dY2pvMSdPpwzR54aauW56/HhtTARVZwgFOKwjcBaf3Fv98qiAzTTqGJjSJOZ6nFiuPm0PQ40867bUFLHuIJJBJVg3PHy+k0mUIsA8yF3ksSQOgyms2Iy54G6hL8ynpDoiLilbc4iYpBAyKjFCHx3Si1LIIH/hp2znexuzLRK68G7a919sEw+OT1h2gJLBnA6G36UwR4rVIQkNdScuM2WzggqGIdgbK8lOSCXf ansible-generated on beepi
\ No newline at end of file
diff --git a/playbooks/fail2ban/forward.conf.j2 b/playbooks/fail2ban/forward.conf.j2
new file mode 100644
index 0000000..0a1157a
--- /dev/null
+++ b/playbooks/fail2ban/forward.conf.j2
@@ -0,0 +1,12 @@
+[Definition]
+actionstart =
+actionstop =
+actioncheck =
+
+actionban = sudo -u fail2forward ssh -i ~fail2forward/.ssh/id_rsa -o BatchMode=yes -o ConnectTimeout=5 -o ServerAliveInterval=5 <forward_user>@<forward_host> ban <ip>
+
+actionunban = sudo -u fail2forward ssh -i ~fail2forward/.ssh/id_rsa -o BatchMode=yes -o ConnectTimeout=5 -o ServerAliveInterval=5 <forward_user>@<forward_host> unban <ip>
+
+[Init]
+forward_host = animeistrash.org
+forward_user = fail2forward
diff --git a/playbooks/fail2ban/jail.local.j2 b/playbooks/fail2ban/jail.local.j2
index 6f19ec6..2713306 100644
--- a/playbooks/fail2ban/jail.local.j2
+++ b/playbooks/fail2ban/jail.local.j2
@@ -5,6 +5,10 @@ maxretry = 5
 banaction = ufw
 bantime.increment = true
 bantime.multipliers = 1 5 30 60 300 720 1440 2880
+ignoreip = 81.217.198.106
+
+action = %(action_)s
+         forward
 
 [sshd]
 enabled = true