diff --git a/modules/sshd.nix b/modules/sshd.nix
index a046574..040ed09 100644
--- a/modules/sshd.nix
+++ b/modules/sshd.nix
@@ -1,4 +1,5 @@
 { lib
+, config
 , ...
 }:
 
@@ -31,4 +32,30 @@
     ];
     authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
   };
+
+  networking.nftables.tables."nixos-fw".content = lib.mkOrder 20 ''
+    set ssh-ratelimit-v4 {
+      type ipv4_addr
+      timeout 60s
+      flags dynamic
+    }
+
+    set ssh-ratelimit-v6 {
+      type ipv6_addr
+      timeout 60s
+      flags dynamic
+    }
+  '';
+
+  # Implement connection rate limit
+  services.openssh.openFirewall = false;
+  networking.firewall.extraInputRules = lib.mkOrder 5 (
+    let
+      ports = builtins.concatStringsSep ", " (map builtins.toString config.services.openssh.ports);
+    in
+    ''
+      tcp dport { ${ports} } update @ssh-ratelimit-v4 { ip saddr limit rate 1/second burst 10 packets } accept
+      tcp dport { ${ports} } update @ssh-ratelimit-v6 { ip6 saddr limit rate 1/second burst 10 packets } accept
+    ''
+  );
 }