cat /etc/fail2ban/filter.d/modsecurity.conf
# Fail2Ban filter for modsecurity # [Definition] failregex = ^<HOST> \- \S+ \[\] \"(.*)\S+\" 444 .+$
will check for HTTP status code 444.
Add this to your “/etc/fail2ban/jail.local”:
[modsecurity] port = http,https logpath = %(nginx_access_log)s enabled = true