I simply run fail2ban with a whole bunch of customer filters that will ban people very quickly. There's no need to request php or malformed urls when php is not used for example.
I used to run fail2ban, but I found it (or at least its defaults) ineffective against discouraging further requests. With iptables, you can specify the connection to hang for a period and then drop
