Here is the filter I use to chase off bots:
peter@whiskery:/etc/fail2ban/filter.d$ cat apache-baduas.conf
# Fail2Ban filter for User Agents I don't like
[Definition]
failregex = <HOST>.*[Pp]ython.*$
<HOST>.*zgrab.*$
<HOST>.*wget.*$
<HOST>.*curl.*$
<HOST>.*Go-http-client.*$
ignoreregex =
## PH 220223 adapted from apache-fakegooglebot
## PH 220517 added Go-http-client
## PH 220913 generalised python
referenced by this stanza in jail.local
## PH 220223 I'm getting pissed off with python scripts (and might add more later)
[apache-badua]
enabled = true
logpath = /var/log/apache2/access.log
/var/log/apache2/bmgsb.log
/var/log/apache2/peterhorn.log
port = http,https
maxretry = 2
findtime = 720
filter = apache-baduas
bantime = 3600
Feel free to massage to fit your environment.
As you can see, the regex's in this case are very simple. The
<HOST>
does all the heavy lifting. I forget where that macro is defined, but if you've got almost any other filter active it'll already be included.