The following guide will show how to use fail2ban to block xmlrpc attacks.

We need to set up rules/regex that the jail will follow, this will look for log file entries depending on what we specify:
Create a file called: /etc/fail2ban/filter.d/xmlrpc.conf

[INCLUDES]

before = common.conf

[Definition]

failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =
The regex above will look for POST requests to the xmlrpc file.
Now add the following configuration to your /etc/fail2ban/jail.conf file
[xmlrpc]
enabled  = true
port     = http,https
filter   = xmlrpc # name of the filter found in /etc/fail2ban/filter.d/
banaction = iptables-allports # block the ip address on all ports
logpath  =  %(nginx_access_log)s # what logs files should it read to find xmlrpc? You can specify a more accurate file if you only have 1 site that has this. 
maxretry = 5 # 5 instances matching the regex can be found before banning
findtime = 3600 # POST request found during a specific time period
bantime  = 7200 # how long IP will be banned for