Hi. Yes you can do ban on the "multiple 400 errors from same source IP"
Take this example
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5720, 11210</rules_id> <!-- Multiple SSHD auth failures,
proftpd -->
<timeout>600</timeout>
</active-response>
