diff --git a/config/jail.conf b/config/jail.conf
index ff0287a2..3f2425b4 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -101,6 +101,26 @@ action      = hostsdeny
 ignoreregex = for myuser from
 logpath     = /var/log/sshd.log
 
+# Here we use a combination of Netfilter/Iptables and IPsets
+# for storing large volumes of banned IPs
+#
+# IPset comes in two versions. See ipset -V for which one to use
+# requires the ipset package and kernel support.
+[ssh-iptables-ipset4]
+
+enabled  = false
+filter   = sshd
+action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
+logpath  = /var/log/sshd.log
+maxretry = 5
+
+[ssh-iptables-ipset6]
+enabled  = false
+filter   = sshd
+action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
+logpath  = /var/log/sshd.log
+maxretry = 5
+
 # This jail demonstrates the use of wildcards in "logpath".
 # Moreover, it is possible to give other files on a new line.