diff --git a/modules/services/security/fail2ban.nix b/modules/services/security/fail2ban.nix
index 258a2d79163..a232d18a572 100644
--- a/modules/services/security/fail2ban.nix
+++ b/modules/services/security/fail2ban.nix
@@ -118,6 +118,7 @@ in
           { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
             ReadOnlyDirectories = "/";
             ReadWriteDirectories = "/var/run/fail2ban";
+            CapabilityBoundingSet="CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
           };
 
         postStart =