Editing a .htaccess file is a halfway decent way; you lose a little performance by using them, but you don't have to bounce the server. You could also use a RewriteMap; something like the 'Host Deny' example at [httpd.apache.org ]. You may want to use a 'dbm' rewritemap if you're going to have a lot of IPs you're blocking. Like the .htaccess method, the nice thing about this method is that Apache doesn't need to be bounced to pick up changes to the DBM.

Awesome, thanks.

The example shown on that page seems to be working great.

FYI - I added a small script to my server over a year I wrote called BANIP which just appends the new banned IP to the bottom of the list. To ban any IP from the server I just type "BANIP #*$!.#*$!.#*$!.#*$!" and it's gone in a blink.

You can use this trick with any file, even IPTABLES, as all you need to do is split the file into two parts like "myIPfile.head" which is everything including all the banned IPs at the end of this file then "myIPfile.tail" which is everything beyond that point. BANIP simply appends whatever IP you pass to the tail end of myIPfile.head, including other syntax around the IP address, then concatenates myIPfile.head + myIPfile.tail together and creates a new file called myIPfile.

Here's an example I use for server wide banning in IPTABLES....

#!/bin/bash 
tmp_path=/tmp 
iptables_path=/etc/sysconfig 
master=iptables.master 
tail=iptables.tail 
ip=$1 
restart() 
{ 
 /etc/rc.d/init.d/iptables restart 
 if [ $?!= 0 ]; then 
 echo "iptables failed to restart correctly, check script integrity!" 
 exit 
 fi 
} 
check_sum() 
{ 
 x=0 
 until [ `expr $x` -eq 4 ]; do 
 x=`expr $x + 1` 
 val=`echo $ip ¦ cut -f $x -d .` 
 if [ `expr "$val" : '\([a-z,A-Z]*\)'` ]; then 
 echo "Only numeric values allowed, exiting" 
 exit 
 fi 
 if [ `expr $val` -gt 255 ]; then 
 echo "Invalid octet range specified, exiting" 
 exit 
 fi 
 done 
} 
echo 
echo "===> IPTABLES add script <===" 
if [ "$1" = "" ]; then 
 echo 
 echo -n "Usage: " 
 echo "banip 111.222.333.444" 
 echo -n " " 
 echo "banip restore" 
 echo 
 exit 
fi 
case "$1" in 
 restore) 
 echo -n "Restoring original iptables ... " 
 cp $iptables_path/iptables~ $iptables_path/iptables 
 if [ $?!= 0 ]; then 
 echo "Could not restore iptables, exiting" 
 exit 
 else 
 echo "successful" 
 fi 
 restart 
 exit 
 ;; 
 *) 
 check_sum 
esac 
cp $iptables_path/iptables $iptables_path/iptables~ 
if [ $?!= 0 ]; then 
 echo "Could not back up iptables, exiting" 
 exit 
fi 
if [! -d $tmp_path ]; then 
 echo "Failed to find temp path, please recheck tmp_path variable" 
 exit 
fi 
if [ -f $iptables_path/$master -a $iptables_path/$tail ]; then 
 grep -q $1 $iptables_path/$master 
 if [ $? = 0 ]; then 
 echo "IP is already in the tables, exiting" 
 exit 
 fi 
 echo "-A INPUT -s $1 -j DROP" >> $iptables_path/$master 
 if [ $?!= 0 ]; then 
 echo "Error during IP install operation, check script integrity!" 
 exit 
 fi 
 cat $iptables_path/$master $iptables_path/$tail > $tmp_path/iptables 
 if [ $?!= 0 ]; then 
 echo "Error during iptables file creation, check script integrity!" 
 exit 
 fi 
 cp $tmp_path/iptables $iptables_path/iptables 
 if [ $?!= 0 ]; then 
 echo "Error during iptables file installation, check script integrity!" 
 exit 
 fi 
 restart 
else 
 echo "Build files not found, exiting" 
 exit 
fi 

FWIW, I've run a perl script before which tails the access log and bans IPs based on 'more than $foo requests matching regex $bar in the past $baz' seconds'; in my case, the source IP was added to an IPtables banlist, and a note was made of when the IP was banned. If the IP violated the rules again, its counter was reset. If kept from violating the rules for more than a few hours, it was allowed to send requests again.

Not perfect, but it got the job done. YMMV, etc.