Such blocking might best be done at the network layer.
Depending upon OS of server ... CentOS 7, for example, has firewalld.
Firewalld has several default zones :
Drop – All incoming network packets are dropped with no reply except outgoing connections.
It is very easy to set single IP addresses or range of IP addresses to the drop
Example ... from a Logwatch report:
A total of 1 sites probed the server
A total of 2 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):
They weren't by the way ... script kiddie thing looking for Windows vulnerabilities
possible exploits. Annoying and harmless.
whois on that IP shows that it's
descr: CHINANET-HN Changsha node network
descr: hunan Telecom
18.104.22.168 - 22.214.171.124
to DROP packets from that IP:
firewall-cmd --zone=drop --add-source=126.96.36.199
Never gets to apache and thus moodle or any other web based app.
Could do the same for ip ranges of country IP addresses.
I've found that it's usually not entire nation IP addresses.
Set United States Apache .htaccess Allow
even if we aren't going to use .htaccess
Big file!!!! 1.8 Megs ... alot of apache processing ... performance hit
over entire site.
Guess what .. I've actually blocked some US IP addresses.
If whatever is determined ... easy to lease a cheapo host in the US and
then do their dirty work from there ... Want to block -> VPN/Proxy -> your server.
So the allow all US IP's would have to be more finely tuned.
So back to the questions I asked in first response ... basically, can you ID the IP addresses that are repeat offenders? Research those. Then decide approach ... but if you can, do it at the network layer!
Also note: I admin corp moodle servers that recently added courses offered in Chinese for customers and a K12 Moodle that offers a course in Mandarin Chinese - what's legit traffic and what's not?
'spirit of sharing', Ken