I run a couple of Drupal sites www.copyrightaction.com and www.photorights.org that are under sustained attack, for months now. Each gets around 900 nefarious access attempts every hour, 24/7. They are a mixture of attempts to login with random usernames, and attempted php/xss/html/css exploits. Much of it appears to be attempts to post comment spam promoting counterfeit fashion items, pharma etc. IP's responsible are mostly in the US. They never succeed or penetrate the sites, but the trouble is that they eat log space and bandwidth. These are non-profit community sites on a shared server, our legit traffic is about 5% of the whole :( At times I have been forced to take the sites offline to clean up. We need airstrikes.
I began by using the Troll module to block IP's manually, but have since used the modules Login Security and Phpids to automatically block IP's. Both work well since the same IP's often issues dozens or hundreds of attempts, they invariably get trapped. However that does not fix the problem with exploding logs eating all the webspace nor the waste of bandwidth dealing with the b*stards. About 90% of our bandwidth is being trashed by these morons.
So I've exported all the blocked IP's from the various modules tables and created an .htaccess that "deny from" the individual IP's or CIDR ranges where several adjacent IP's have been trapped. That keeps them out of Drupal's hair and minimises the impact.
That's fine as far as it goes. Most of the crud is now getting blocked upstream of Drupal, but every day I have to manually add another 20 or so new IP's that have joined the botnet and show up in Watchdog. This is tedious to say the least. It's the sort of drudgery that computers should do.
I guess what I need is a module that I can have cron run against either the Watchdog log , or against the banned-IP tables of Troll, Login Security and Phpids, and write the necessary "deny from" statements into .htaccess. (Actually, even "deny from" radio buttons on Watchdog entries would be a step forward, rather than having to copy & paste to editor then FTP a new .htaccess).
Unfortunately I'm a beginner php coder, but if anyone knows of a module or script that would serve as a starting point I'm now pretty desperate to sort something out. It has wasted days of my unpaid time. If anyone has any suggestions I would be very pleased to hear.