Re: RBL for script-kiddies?

I guess that's fair enough for general static server with low comments 
posting. But I got this database server which I have tuned to the max for 
best performance.

If I can stop any kind of access to the site at the firewall then a) httpd 
has less to do, b) modsec has less to do, c) the server can get on with 
other stuff.

Having a downloaded list of dodgy IP's means that I can update the firewall 
regularily and stop the stuff coming in full stop.

I have a downloadable list of IP addresses per country which I use to block 
rogue countries but I don't have anything for the various home adsl / 
comprimised servers / proxies which plague the site daily.

The kind of stuff I am on about include the current exploits such as:

Match of "rx ^apache.*perl"
h t t p : //am ygi rl.c ha t .ru / im ages /i mag e.txt

Ro ot kit attack: Generic Attempt to install ro ot k it
h tt p: //am y ru.h 18. ru/ im a ges/c s.t xt?

I'd not want to let these in through the security cordon and then run an RBL 
check on them. I'd much rather download a list of IP's which have done this 
kind of thing within the past week and block them in their tracks.

> The overhead is not bad when you limit the rbl lookups to certain
> actions at certain uri's only. For example:
>