Equivalent to denyhosts, but for HTTP requests?

Solution 1:

http://www.modsecurity.org/ may do what you want.

Solution 2:

fail2ban scans log files like /var/log/apache/error_log and bans IP that makes these automated scans based on regular expressions (called filters). By default it updates the firewall (iptables) to block the offending IP. It is very easy to write new actions and implementing one for updating a .htaccess should be quite simple, there are several examples available in the fail2ban distribution.

Solution 3:

I'll second fail2ban. It works live, it can ban temporarily, and it can add IP addresses to your firewall so Apache doesn't have to waste time on it.

Even more efficient when coupled with the ipset netfilter module for iptables (which is faster for handling large amounts of addresses), and it can ban them instantly so they only get to make one or two requests before getting blocked.

If you really, really hate these people and are running Linux, you could also try to implement tarpitting for iptables (a quick search hasn't found any 2.6-compatible patches). This will accept the connection and then immediately set the window size to 0 (preventing data from being transferred), but also prevent the remote end from closing the connection at all, meaning whatever app is connecting will have to wait somewhere between three and twenty (!!) minutes before the connection times out on their end.

This is great for stopping portscanners as well, because it makes them take orders of magnitude longer than they normally would.