I'm using Fail2ban package 0.6.0-3 with the Apache directive
enabled.

At present only the default failregex is active. I would like to
add another failregex to try to block known apache hack attempts
that are showing up in my logwatch[1].

Is it possible to have 2 failregexes under the [Apache] directive
in /etc/fail2ban.conf? Eg:

[Apache]
enabled = true
port = http
logfile = /var/log/apache2/access.log
timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
failregex = [[]client (?P\S*)[]] user .*(?:: authentication failure|not found)
failregex = \"GET /scripts/root\.ex\e?/c\+dir\" 404

Or do I need to add another eg [Apache_2]?

I've seen a site where they have iptables rule with '-m string'
matching some of theses .exe hack/crack strings, but my iptables
doesn't have the 'string' option.

Or should I disallow in apache config? I didn't think necessary
because they're 404 errors anyway, and it'd be better to catch
them before they even get to apache?

[1]
--------------------- httpd Begin ------------------------

0.32 MB transferred in 83 responses (1xx 0, 2xx 54, 3xx 24, 4xx
5, 5xx 0)
34 Images (0.16 MB),
3 Windows executable files (0.00 MB),
45 Content pages (0.15 MB),
1 Other (0.00 MB)

Attempts to use known hacks by 1 hosts were logged 6 time(s)
from:
60.12.81.52: 6 Time(s)

A total of 1 sites probed the server
60.12.81.52

Requests with error response codes
403 Forbidden
/cgi-bin/man/man2html?tunctl+8: 1 Time(s)
404 Not Found
/msadc/..%c0%af..%c0%af..%c0%af../winnt/sy ...
/cmd.exe?/c+dir: 1 Time(s)
/robots.txt: 1 Time(s)
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir: 1
Time(s)
/scripts/root.exe?/c+dir: 1 Time(s)

A total of 1 ROBOTS were logged

---------------------- httpd End -------------------------

--
Troy Piggins ,-O (o- O
All your sigs are belong to us. O ) //\ O
`-O V_/_ OOO
RLU#415538