diff --git a/fail2ban/README b/fail2ban/README
index b3746631210073e45899162ab012446c70a91473..76e202c76fc0018b81909cd268883983b362a5ac 100644
--- a/fail2ban/README
+++ b/fail2ban/README
@@ -29,7 +29,8 @@ In the corresponding action following invocation can be used:
    actionban = /usr/local/bin/f2ban_XXX.sh <ip> <failures> <time>
 
 Please, edit corresponding paths and Warden names in the corresponding
-script preamble.
+script preamble and check/edit contents of the IDEA template (e.g. Target IP 
+address in f2ban_ssh.sh).
 
 Scripts write generated Idea_ events into warden_filer compatible
 directory, so you will need to run properly configured (and registered
diff --git a/fail2ban/f2ban_ssh.sh b/fail2ban/f2ban_ssh.sh
index 61c8b165cad660feacbdb01d709036d93fe1667d..e814a2e7e0f4bd9a9662faed820aca04615ebc29 100755
--- a/fail2ban/f2ban_ssh.sh
+++ b/fail2ban/f2ban_ssh.sh
@@ -31,9 +31,9 @@ cat >"$filer_dir/tmp/$event_id" <<EOF
    "ID": "$event_id",
    "DetectTime": "$detect_time",
    "CreateTime": "$create_time",
-   "Category": ["Abusive.Spam"],
+   "Category": ["Attempt.Login"],
    "Description": "SSH dictionary/bruteforce attack",
-   "Count": $failures,
+   "ConnCount": $failures,
    "Note": "IP attempted $failures logins to SSH service",
    "Source": [{
       "IP4": ["$src_ip"],
@@ -41,8 +41,10 @@ cat >"$filer_dir/tmp/$event_id" <<EOF
    }],
    "Target": [{
        "Type": ["Anonymised"],
-       "IP4": ["160.217.0.0/16"],
-       "Anonymised": true
+       "IP4": ["192.0.2.0/24"],
+       "Anonymised": true,
+       "Proto": ["tcp", "ssh"],
+       "Port": [22]
    }],
    "Node": [{
          "Name": "$node_name",