diff --git a/group_vars/all/security.yml b/group_vars/all/security.yml
index 57c2bcdd7d..b58d92cd60 100644
--- a/group_vars/all/security.yml
+++ b/group_vars/all/security.yml
@@ -29,6 +29,13 @@ fail2ban_services_custom:
     enabled: "false"
     port: http,https
     logpath: "{{ www_root }}/**/logs/access.log"
+  - name: nginx_env_probe
+    filter: nginx-env-probe
+    enabled: "true"
+    port: http,https
+    logpath: "{{ www_root }}/**/logs/error.log"
+    maxretry: 1
+    bantime: 3600
 
 # If sshd_permit_root_login: false, admin_user must be in 'users' (`group_vars/all/users.yml`) with sudo group
 # and in 'vault_users' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`)
diff --git a/roles/fail2ban/templates/filters/nginx-env-probe.conf.j2 b/roles/fail2ban/templates/filters/nginx-env-probe.conf.j2
new file mode 100644
index 0000000000..9e8f04ea52
--- /dev/null
+++ b/roles/fail2ban/templates/filters/nginx-env-probe.conf.j2
@@ -0,0 +1,6 @@
+# Fail2Ban filter for nginx .env file access attempts
+# Matches nginx error log entries for forbidden .env file requests
+
+[Definition]
+failregex = ^\d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \[error\].*access forbidden by rule, client: <HOST>,.*request: "GET .*\.env.*"
+ignoreregex =
diff --git a/roles/fail2ban/templates/jail.local.j2 b/roles/fail2ban/templates/jail.local.j2
index 52bf79b679..7d74ddbeb5 100644
--- a/roles/fail2ban/templates/jail.local.j2
+++ b/roles/fail2ban/templates/jail.local.j2
@@ -35,6 +35,9 @@ logpath = {{ service.logpath }}
 {% if service.maxretry is defined %}
 maxretry = {{ service.maxretry }}
 {% endif %}
+{% if service.bantime is defined %}
+bantime = {{ service.bantime }}
+{% endif %}
 {% if service.protocol is defined %}
 protocol = {{ service.protocol }}
 {% endif %}