The regex used won’t capture all attempts, but with my configuration only 1 hit is enough to get you banned (the scripts these scans call are main.php and config.inc.php, which aren’t to be called directly, especially not when they fail with a 404 like these), and all scanning attempts I’ve seen so far cycle through at least 20 different combinations.

Well, enough talk, here is the filter.d file:

# Fail2Ban configuration file
#
# Author: Remco Overdijk
#
# $Revision: 4 $
#

[Definition]
 
# Option:  failregex
# Notes.:  regex to match the 404'ed PMA file in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = <HOST> -.*"GET .*(php|pma|PMA|p/m/a|db|sql|admin).*/(config/config\.inc|main)\.php.*".*404.*
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

And this is of course accompanied by a bit in jail.conf:

[apache-pma]
 
enabled = true
filter = apache-pma
action = iptables-allports[name=pma]
mail-whois[name=pma, dest=<YOURADDRHERE>]
logpath = /var/log/apache2/access_log
bantime = -1
maxretry = 1

Works for me, another 20 additional IPs/day onto the shitlist!

Update: It seems another variation of these scans are hitting the NIC’s quite often; One for Zen Cart to be more precise.
You can easily add support countering this scanner as well, simply by expanding the failregex with this line:

^<HOST> -.*"GET .*(cart|boutique|catalog|butik|shop|zen|store).*/install\.txt.*".*404.*

You can put multiple regexes within one failregex, just put each one on a new line.