After hosting a mail server for a few years, I've gotten tired of seeing alllll the 404 attempts in my daily logwatch. Fail2Ban can help here really well, and it turns out to be really easy.
nano /etc/fail2ban/filter.d/nginx-4xx.conf (I'm counting on your running Debian and having things in default locations here), and enter the following:
[Definition] failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$ ignoreregex =
Note: Make sure you use a capital 'D' in Definition there.
Now, edit your /etc/fail2ban/jail.conf …