Linking to Fail2ban

Thought I would share this as it seems to be working well for me. This will only work if you have control of your server and can install fail2ban.
I run several drupal sites on Apache virtual hosts. Several of them (not all) get hammered with robot login attempts and this solution bans them from all virtual hosts if any is attacked. Big thanks to the drupal fail2ban module for many insights.
Method:
Since drupal and honeypot write to the system log we can use fail2ban to ban those ip addresses.
Steps:

install fail2ban on your server

WHITELIST your ip address in fail2ban config or you will possibly get yourself banned from the server.

Create some filters

Put them in the appropriate place (for Ubuntu /etc/fail2ban/filter.d)
Here are two I am using.
This filter catches failed login attempts logged by Drupal core.
File: drupal-auth.conf

Fail2Ban configuration file
# Author: Tipi Koivisto
# taken from fail2ban drupal module https://www.drupal.org/project/fail2ban

[Definition]
# Option: failregex Notes.: regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can be used for standard IP/hostname
# matching and is only an alias for (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) Values: TEXT
#
failregex = \|\d*\|user\|<HOST>\|.*Login attempt failed for \s?
# Option: ignoreregex Notes.: regex to ignore. If this regex matches, the line is ignored. Values: TEXT
#
#ignoreregex =

This filter catches log entries by Honeypot for blocked submissions. WARNING --I'm terrible at regex matching and is most likely not the best expression.
File: drupal-honeypot.conf

 # Fail2Ban configuration file drupal honeypot
#copied from Author: Tipi Koivisto
# this should find honeypot log stuff
[Definition]
# Option: failregex Notes.: regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can be used for standard IP/hostname
# matching and is only an alias for (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) Values: TEXT
#
#this expression needs work
failregex = \|\d*\|honeypot\|<HOST>\|.*\|Blocked submission of user_.*

# Option: ignoreregex Notes.: regex to ignore. If this regex matches, the line is ignored. Values: TEXT
#ignoreregex =

Create a jail config file for the two filters (Ubuntu path /etc/fail2ban/jail.d). Change "enabled" to true to use the jail, set the maxretry, bantime and path to your syslog as appropriate for your system.
file: dupal.local

[drupal-auth]

enabled = False
port = http,https
filter = drupal-auth
logpath = /var/log/syslog
maxretry = 3
bantime = 3600

[drupal-honeypot]
enabled = False  
port = http,https
filter = drupal-honeypot
logpath = /var/log/syslog
maxretry = 4
bantime = 3600

Restart fail2ban

I had a flurry of bans happen and then things settled down a good bit. Looks like the robots give up quickly when they are banned.