lucy24 - 9:02 am on Nov 11, 2012 (gmt 0)
SecRule REQUEST_HEADERS:REMOTE_HOST "host-name-here" deny,status:403 - this doesn't seem to work.
SetEnvIfNoCase Remote_Host "host-name-here" bad_bot
By yawn-provoking coincidence I have just this minute come from an unrelated forum where someone had exactly the same kind of "Is it hotter in New York than in the summer?" question.*
You mean mod_security or mod_setenvif. Why bother with the host name at all? Somewhere behind the name is an IP address-- and it's less likely to be faked than anything else you could block. If you're in doubt about the full range, just make it bigger. If for example it claims to be
but your raw logs don't turn up anything from the rest of aa.bb., just block the whole /16. Or /15 or /14 if you haven't met any humans from there either.
I don't know whether anyone has done a rigorous speed comparison on mod_rewrite using RegExes vs mod_auth-thingie using CIDR ranges. (This is assuming you're not lucky enough to be in Apache 2.4 yet.) Gut feeling says that anything in CIDR form will be faster. But unless you've got an absolutely enormous site-- which you've said you don't-- the difference isn't likely to be significant.
* Answer: Yes.