Does anyone see a pattern in the order of the URLs they request? I'm thinking along the lines of making a dynamic ban list of any IP that requests certain files.
Mine always make the same 25 requests in exactly the same order. If you don't actually have awstats files, you can simply slam the door on anything that asks for it:
RewriteRule awstats - [F]
If you do have awstats, you'll need to add a few Conditions to let yourself in. Constrain it to THE_REQUEST and so on.
With me, half of them got 403'd up front by asking for .php files; the other half ask for .pl so they now get locked out too. And as noted above, one block of four requests may get zapped by mod_security before you ever see it.
The requests for / annoy me a lot because they can't be blocked. I do look up the IPs as they come along, and if they're from somewhere really useless they'll get locked out-- I've found a few more pieces of China that way ;) But banning by IP isn't going to do it.
So far, each visit is from a single IP. So if you can write the right kind of script, you can pounce on anything that asks for awstats and then lock out that specific IP
for the next 24 hours.
I don't think I can do this-- it sounds like a config-file type of activity-- but I haven't given up on my host. I know they sometimes do global lockouts because I once found a group of 503s in the logs and asked about it. Every now and then I nag them about muieblackcat, which is the same kind of thing: it's the first request in an up-to-no-good series. And, as far as I know, unlike awstats it has no legitimate existence.