diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml
index 4108edc..5d0394e 100644
--- a/roles/fail2ban/tasks/main.yml
+++ b/roles/fail2ban/tasks/main.yml
@@ -23,6 +23,24 @@
     state: "{{ fail2ban_package_state }}"
   become: true
 
+- name: Create fail2ban logging directory.
+  file:
+    path: "/var/log/fail2ban"
+    state: directory
+    mode: '0700'
+    owner: 'root'
+    group: 'root'
+  become: true
+
+- name: Create fail2ban systemd drop-in directory.
+  file:
+    path: "/etc/systemd/system/fail2ban.service.d"
+    state: directory
+    mode: '0755'
+    owner: 'root'
+    group: 'root'
+  become: true
+
 - name: Deploy fail2ban jail config.
   template:
     src: "jail.local.j2"
@@ -33,6 +51,26 @@
   notify: restart fail2ban service
   become: true
 
+- name: Deploy fail2ban config.
+  template:
+    src: "fail2ban.local.j2"
+    dest: "/etc/fail2ban/fail2ban.local"
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: restart fail2ban service
+  become: true
+
+- name: Deploy fail2ban hardening systemd drop-in.
+  template:
+    src: override.conf.j2
+    dest: /etc/systemd/system/fail2ban.service.d/override.conf
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: restart fail2ban service
+  become: true
+
 - name: Ensure fail2ban service is enabled and started.
   service:
     name: fail2ban
diff --git a/roles/fail2ban/templates/fail2ban.local.j2 b/roles/fail2ban/templates/fail2ban.local.j2
new file mode 100644
index 0000000..5af1a72
--- /dev/null
+++ b/roles/fail2ban/templates/fail2ban.local.j2
@@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+
+[Definition]
+logtarget = /var/log/fail2ban/fail2ban.log
diff --git a/roles/fail2ban/templates/override.conf.j2 b/roles/fail2ban/templates/override.conf.j2
new file mode 100644
index 0000000..ca6fa6d
--- /dev/null
+++ b/roles/fail2ban/templates/override.conf.j2
@@ -0,0 +1,13 @@
+{{ ansible_managed | comment }}
+
+[Service]
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWritePaths=-/var/run/fail2ban
+ReadWritePaths=-/var/lib/fail2ban
+ReadWritePaths=-/var/log/fail2ban
+ReadWritePaths=-/var/spool/postfix/maildrop
+ReadWritePaths=-/run/xtables.lock
+CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW