the server configuration file, which is typically named something similar to httpd.conf, could possibly be configured to specify those restrictions across all virtual hosts in the server configuration.

Well, so I guess one question is whether I can just stick a "Deny www.xxx.yyy.zzz" in my httpd.conf file.

Actually, it looks like the syntax is a bit different than for .htaccess. I *think* I use "Deny from www.xxx.yyy.zzz" in the httpd.conf. Yes?

The reason I'm interested in this is because if I want to blacklist well acknowledged malicious IPs, why should I have to do the same thing in all of my .htaccess files? Seems smarter just to do it once and be done with it.

As phranque mentioned above, you should be able to do what you want using httpd.conf on your server, the same file where your server is configured. For your specific use you should find links for the version of Apache you use in the forum's Charter here: [webmasterworld.com...]

it looks like the syntax is a bit different than for .htaccess

Apache is Apache, whether it's in htaccess or config. If it's your own server, there should not even be any htaccess files, except possibly for a test directory if you want to experiment.

The syntax in mod_auththingummy (its exact name depends on Apache version) is always

Allow from blahblah
Deny from blahblah

where blahblah is a numerical CIDR range. (It doesn't have to be, but the consequences are distressing if you use any other form.)

These directives can go absolutely anywhere. If they're lying loose in the config file, they apply to all requests. If they're in a <Directory> section they apply to everything that's physically located in that directory. (Stay away from <Location> sections until you are absolutely certain what you are doing.) If they're in an .htaccess file, they apply to everything in the directory that contains the htaccess file.

Anything that can go in htaccess can go in config. The opposite is not true.

Thank you Lucy. That's exactly what I need to know. I gather that .htaccess files are just site-specific distributions of http.conf. That is, the whole purpose of a .htaccess file is to do for one site what you don't want to do for all of them.

In general terms, yes. On some hosting setups (including mine) you may also have a "userspace"-- a directory that in turn contains all your sites. If so, it's possible to set access-control restrictions for all your sites in a single htaccess file while maintaining additional, site-specific htaccess files. Sites might also share basic things like charset, extension-specific headers and so on.

The one limitation to keep in mind is that, while most Apache directives are inherited, mod_rewrite is not. So be careful about where you put your RewriteRules.

So far, <Directory> sections can't be nested. So if you have rules for
<Directory foobar>
and
<Directory foobar/widget>
the packages have to go side by side, not one inside the other.

Ah, a "userspace" is a smart idea. So one could put a .htaccess in that directory that would govern acces for all the sites in that directory, and then put site-specific htaccess files in the individual site directories. So .htaccess rules cascade (inherited?) I guess, from one directory to directories contained within.

Excellent point about mod_rewrite. So a simple "Deny" is inherited, but RewriteEngine commands are not.

Basically everything is inherited except mod_rewrite, which is just weird by nature. (Possibly also mod_security, third party.) You can say

RewriteOptions Inherit

but results may not be exactly what was intended. This setting is, itself, not inherited; you have to say it over again with each occurrence of RewriteEngine On. It basically means "We're starting some more rewrites, but don't throw away the old ones."

Some specific directives may also have constraints. I know

Options -Indexes

didn't work when I put it in my shared htaccess. But <Files> envelopes definitely work, so you can make a rule for "any file with name matching this pattern, in any (sub)directory along this path". For example you can make a rule giving everyone access to robots.txt, even if they'd otherwise be locked out. But once you've got access to the server's config file, most rules should go there instead.

Many rules that are expressed as "such-and-such happens in htaccess vs. this-and-that happens in config" might more accurately be expressed as "such-and-such happens in a directory context while this-and-that happens if the rule is lying loose in config". (Many. Not all.)