diff --git a/fail2ban/README b/fail2ban/README
new file mode 100644
index 0000000000000000000000000000000000000000..76e202c76fc0018b81909cd268883983b362a5ac
--- /dev/null
+++ b/fail2ban/README
@@ -0,0 +1,45 @@
+Support scripts for fail2ban
+============================
+
+Introduction
+------------
+
+Fail2ban is a logfile watcher, which is able to run various actions,
+based on too many patterns occured in the log file.
+Those helper shell scripts can be used as action to report events to
+Warden_.
+
+Dependencies
+------------
+
+ 1. Python packages
+
+    warden_filer 3.0+
+
+Usage
+-----
+
+ * f2ban_spam.sh is meant to be used in cooperation with the default
+   "postfix" rule.
+ * f2ban_ssh.sh is meant to be used in cooperation with the default
+   "ssh" rule. 
+
+In the corresponding action following invocation can be used:
+
+   actionban = /usr/local/bin/f2ban_XXX.sh <ip> <failures> <time>
+
+Please, edit corresponding paths and Warden names in the corresponding
+script preamble and check/edit contents of the IDEA template (e.g. Target IP 
+address in f2ban_ssh.sh).
+
+Scripts write generated Idea_ events into warden_filer compatible
+directory, so you will need to run properly configured (and registered
+into Warden server) warden_filer instance, which will take care for
+picking up the events and submitting them.
+
+.. _Warden: https://warden.cesnet.cz/
+.. _Idea: https://idea.cesnet.cz/
+
+------------------------------------------------------------------------------
+
+Copyright (C) 2017 Cesnet z.s.p.o
diff --git a/fail2ban/f2ban_spam.sh b/fail2ban/f2ban_spam.sh
new file mode 100755
index 0000000000000000000000000000000000000000..ba426e69ab6bb8aff98d56f2943759cdab52fe8c
--- /dev/null
+++ b/fail2ban/f2ban_spam.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+umask 0111
+
+filer_dir="/var/mentat/spool/_wardenout"
+src_ip=$1
+failures=$2
+detect_time=$(date --date="@$3" --rfc-3339=seconds)
+create_time=$(date --rfc-3339=seconds)
+node_name="org.example.fail2ban.blacklist"
+
+uuid() {
+        for ((n=0; n<16; n++)); do  
+                read -n1 c < /dev/urandom
+                LC_CTYPE=C d=$(printf '%d' "'$c")
+                s=''
+                case $n in
+                        6) ((d = d & 79 | 64));;   
+                        8) ((d = d & 191 | 128));;  
+                        3|5|9|7) s='-';; 
+                esac
+                printf '%02x%s' $d "$s"
+        done
+}
+
+event_id=$(uuid)
+
+cat >"$filer_dir/tmp/$event_id" <<EOF
+{
+   "Format" : "IDEA0",
+   "ID" : "$event_id",
+   "DetectTime" : "$detect_time",
+   "CreateTime" : "$create_time",
+   "Category" : ["Abusive.Spam"],
+   "Description" : "Blacklisted host",
+   "Note" : "Block duration: 3600. IP was blacklisted, is listed on more than 5 public blacklists",
+   "Source" : [{
+      "Type": ["Spam"],
+      "IP4" : ["$src_ip"],
+      "Proto": ["tcp", "smtp"]
+   }],
+   "Node" : [{
+         "Name" : "$node_name",
+         "SW" : ["Fail2Ban"],
+         "Type" : ["Log", "Statistical"]
+   }],
+   "_CESNET" : {
+      "Impact" : "IP was blacklisted, is listed on more than 5 public blacklists",
+      "EventTemplate" : "f2b-001"
+   }
+}
+EOF
+
+mv "$filer_dir/tmp/$event_id" "$filer_dir/incoming"
diff --git a/fail2ban/f2ban_ssh.sh b/fail2ban/f2ban_ssh.sh
new file mode 100755
index 0000000000000000000000000000000000000000..e814a2e7e0f4bd9a9662faed820aca04615ebc29
--- /dev/null
+++ b/fail2ban/f2ban_ssh.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+umask 0111
+
+filer_dir="/var/spool/warden_sender"
+src_ip=$1
+failures=$2
+detect_time=$(date --date="@$3" --rfc-3339=seconds)
+create_time=$(date --rfc-3339=seconds)
+node_name="org.example.fail2ban.ssh"
+
+uuid() {
+        for ((n=0; n<16; n++)); do  
+                read -n1 c < /dev/urandom
+                LC_CTYPE=C d=$(printf '%d' "'$c")
+                s=''
+                case $n in
+                        6) ((d = d & 79 | 64));;   
+                        8) ((d = d & 191 | 128));;  
+                        3|5|9|7) s='-';; 
+                esac
+                printf '%02x%s' $d "$s"
+        done
+}
+
+event_id=$(uuid)
+
+cat >"$filer_dir/tmp/$event_id" <<EOF
+{
+   "Format": "IDEA0",
+   "ID": "$event_id",
+   "DetectTime": "$detect_time",
+   "CreateTime": "$create_time",
+   "Category": ["Attempt.Login"],
+   "Description": "SSH dictionary/bruteforce attack",
+   "ConnCount": $failures,
+   "Note": "IP attempted $failures logins to SSH service",
+   "Source": [{
+      "IP4": ["$src_ip"],
+      "Proto": ["tcp", "ssh"]
+   }],
+   "Target": [{
+       "Type": ["Anonymised"],
+       "IP4": ["192.0.2.0/24"],
+       "Anonymised": true,
+       "Proto": ["tcp", "ssh"],
+       "Port": [22]
+   }],
+   "Node": [{
+         "Name": "$node_name",
+         "SW": ["Fail2Ban"],
+         "Type": ["Log", "Statistical"]
+   }]
+}
+EOF
+
+mv "$filer_dir/tmp/$event_id" "$filer_dir/incoming"