Enhancing the searching regex for 3 common situations:

1. Clients or bots trying to access resources not being hosted to explore critical files.
-> Error 404 is returned

2. Clients or bots trying to exploit services by pinging URIs with methods not allowed (i.e. POST instead of GET)
-> Error 405 is returned

3. Clients or bots explore dynamic hosted sites by randomly sending parameters to exploit the API (for all APIs from old CGI to REST service proxied)
-> Error 50x is returned
The latter is the weekest criteria bc. the return code is at best a expected exception and then defined by the API designer or at worst depending on the system behind. CGI for example let nginx throw 519 on harsh errors (which is not covered by the regex at all)

config/filter.d/nginx-bad-request.conf

@@ -5,7 +5,7 @@
 
 # The request often doesn't contain a method, only some encoded garbage
 # This will also match requests that are entirely empty
-failregex = ^<HOST> - \S+ \[\] "[^"]*" 400
+failregex = ^<HOST> - \S+ \[\] "[^"]*" [4-5]0[0-9]
 
 datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
               ^[^\[]*\[({DATE})

fail2ban/tests/files/logs/nginx-bad-request

@@ -20,4 +20,7 @@
 7.8.9.10 - root [20/Jan/2015:01:17:07 +0100] "CONNECT 123.123.123.123 HTTP/1.1" 400 162 "-" "-" "-"
 
 # failJSON: { "time": "2014-12-12T22:59:02", "match": true , "host": "2.5.2.5" }
-2.5.2.5 - tomcat [12/Dec/2014:22:59:02 +0100] "GET /cgi-bin/tools/tools.pl HTTP/1.1" 400 162 "-" "-" "-"
+2.5.2.5 - tomcat [12/Dec/2014:22:59:02 +0100] "GET /cgi-bin/tools/tools.pl HTTP/1.1" 400 162 "-" "-" "-"
+
+# failJSON: { "time": "2014-12-12T22:59:02", "match": true , "host": "192.168.144.1" }
+192.168.144.1 - - [12/Dec/2014:22:59:02 +0100] "GET /adsf HTTP/1.1" 404 118 "-" "-" "-"