diff --git a/cdist/conf/type/__fail2ban/gencode-remote b/cdist/conf/type/__fail2ban/gencode-remote
new file mode 100644
index 00000000..a3f6933c
--- /dev/null
+++ b/cdist/conf/type/__fail2ban/gencode-remote
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+# 2016 Simon Walter (simon at explicit dot technology)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+config_file="/etc/fail2ban/jail.conf"
+
+if [ -f "$__object/parameter/enable-services" ]; then
+    enable_services="$(cat "$__object/parameter/enable-services")"
+else
+    enable_services="$__object_id"
+fi
+services="$(echo $enable_services | sed -e 's/,/ /g')"
+for service in $services
+do
+    echo "[$(tput setaf 6)info$(tput sgr 0)] Enabling fail2ban for $service..." >&2
+    cat << EOF
+perl -i -pe 'BEGIN{undef $/;} s/\[$service\].*[\n]*enabled.*=.*\n/\[$service\]\n\nenabled = true\n/g' $config_file
+EOF
+done
+echo "service fail2ban restart"
diff --git a/cdist/conf/type/__fail2ban/manifest b/cdist/conf/type/__fail2ban/manifest
new file mode 100644
index 00000000..92e98021
--- /dev/null
+++ b/cdist/conf/type/__fail2ban/manifest
@@ -0,0 +1,39 @@
+#!/bin/sh
+#
+# 2016 Simon Walter (simon at explicit dot technology)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+os=$(cat "$__global/explorer/os")
+
+case "$os" in
+    debian|ubuntu|devuan)
+        __package iptables --state present
+        require=__package/iptables __package fail2ban --state present
+    ;;
+    centos)
+        __package epel-release --state present
+        require=__package/epel-release __package iptables --state present
+        require=__package/epel-release __package fail2ban --state present
+    ;;
+    *)
+        echo "Your operating system ($os) is currently untested for ${__type##*/}." >&2
+        echo "If it works, please add it." >&2
+        __package fail2ban --state present
+    ;;
+esac
+
diff --git a/cdist/conf/type/__fail2ban/parameter/optional b/cdist/conf/type/__fail2ban/parameter/optional
new file mode 100644
index 00000000..e43ccb4b
--- /dev/null
+++ b/cdist/conf/type/__fail2ban/parameter/optional
@@ -0,0 +1 @@
+enable-services
\ No newline at end of file