wiki: add backend=polling gotcha to apache-404scan jail article

Global backend=systemd in jail.local silently breaks file-based jails.
Added required backend=polling to config, diagnostic command, and warning.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

02-selfhosting/security/fail2ban-apache-404-scanner-jail.md

@@ -43,10 +43,13 @@ logpath = /var/log/apache2/access.log
 maxretry = 10
 findtime = 1m
 bantime = 24h
+backend = polling
 ```
 
 **10 hits in 1 minute** is aggressive enough to catch scanners (which fire 30–50+ requests in seconds) while avoiding false positives from a legitimate user hitting a few broken links.
 
+> **Critical: `backend = polling` is required** if your `jail.local` or `jail.d/` sets `backend = systemd` in `[DEFAULT]` (common on Fedora/RHEL). Without it, fail2ban ignores the `logpath` and reads from journald instead — which Apache doesn't write to. The jail will appear active (`fail2ban-client status` shows it running) but `fail2ban-client get apache-404scan logpath` will return "No file is currently monitored" and zero IPs will ever be banned. This fails silently.
+
 ### Step 3 — Test the regex
 
 ```bash
@@ -95,6 +98,11 @@ fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-404scan
 # Check jail status and banned IPs
 fail2ban-client status apache-404scan
 
+# IMPORTANT: verify the jail is actually monitoring the file
+fail2ban-client get apache-404scan logpath
+# Should show: /var/log/apache2/access.log
+# If it shows "No file is currently monitored" — add backend = polling to the jail
+
 # Watch bans in real time
 tail -f /var/log/fail2ban.log | grep apache-404scan