While it monitors SSH by default out of the box, people here are talking about creating custom filters which will monitor their Apache or Nginx logs. (Although, that said, we also have it monitor our non-standard SSH port with v. aggressive blocking rules, even though it's also behind a firewall. Defence in depth, and all that.)
The documentation isn't the greatest, but this page explains the concepts well enough and was easy to find using Google.
A filter matches lines in the nginx log using regular expressions. If the line matches, it uses another regexp to extract the IP address, and then calls out to scripts to block that IP address.
I'm not going to post the exact configuration files I use, but the GitHub repo for fail2ban contains examples.
I like Fail2Ban, but as I remember it, my learning process looked a lot like this:
1.) Read through the documentation.
2.) Pour myself a scotch.
3.) Read through more documentation.
4.) Start drinking right out of the bottle.
5.) Try something.
6.) Get an error or experience a spectacular failure.
7.) Use StackOverflow.
8.) GOTO 5.
-------------
In good news, it worked - the light went on and now I'm confident that I could adapt Fail2Ban to suit any use. But, in bad news, honestly, I feel your pain and understand where/why you are getting stuck. Fail2Ban is a very complicated, yet extremely useful piece of software.
There is this Linux thing called IMA which in some ways reminds me of tripwire (Integrity Measurement Architecture).