In the recent days I noticed this in my logs file.
Of course I want to exposed malicious IP 220.127.116.11 and so forth but I noticed this "scumbag" would not stop anytime soon, so I came up with following solution:
# change badurls to fit your taste and needs, this are the more common ones
badurls = myadmin|phpadmin|sql|webdb|wp-login\.php|soapCaller|manager|setup\.php|pma|status|admin\.php|phpmyadmin\.php|pma\.php|PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2|administrator|database|sql|phpMyAdmin|MyAdmin|dbadmin|php-myadmin|phpmy-admin|phpmyAdmin
failregex = ^(?i)<HOST> .* "(GET|POST|HEAD) .*(%(badurls)s).* HTTP.*" (403|404) .*$
^(?i)<HOST> .* "(GET|POST|HEAD) / HTTP.*" (403|404) .*$
NOTE: * in the logpath includes all domains within tinycp hence if "18.104.22.168" changes to a different domain, it will still get denied access to server.
The above filter plus existing recidive.conf will eradicate the scumbag
Hope this help someone out there.