Just ban bots using fail2ban or CSF or whatever, even a self-written script + iptables.
In parallel, of course, not forgetting to maintain the state of security of their sites.
These imaginary "hackers" in most cases are just the background noise of the Internet, crowds of various bots scanning networks, guessing ssh passwords, looking for vulnerable services, default and dictionary passwords, etc. When a vulnerable victim is found, most often an auto-exploit is performed that connects the infected resource to the bot army.
As an experiment, as already suggested above, you can deploy a honeypot on a separate public ip (if available), for example, here is a ready-made distribution . Put his bare ass on the Internet and enjoy honeypot alerts.
And "punishing" this background noise is like carving the sea.

To understand and to forgive.
Think about IB.
Read manuals on secure Nginx configuration.
Conduct an assessment using Nessus (there is a full trial), Acunetix, Netsparker, Nikto (OpenSource).
Optional metasploit or armitage based on experience and knowledge.
Contact the "Department K" or specialized organizations.

Rejoice that your shoals are looking for you.

Set up fail2ban

If there is absolutely nothing to do, you can organize a honeypot.

IP2ASN
Find out who owns the subnet and write to the support.

Either write a statement to the police, or do not waste your time.

More control over the security of your sites.

play a joke
Pretend that they really broke in, and when they come in, play a joke