FYI unless you have an existing mod_security configuration to upgrade
  (and even with that) upgrading mod_security is a 30-second operation.

Not really - We have mod_security compiled straight into Apache, so it's not just a question of compiling a new module and dropping in on the server, we have to recompile our entire Apache setup which (I'm being told) is a fairly complicated process, and right now the SysAdmin is too busy to help me...

  Avoid launching a script if possible. If you don't those attacking
  you will be able to create dozens of processes per second simply
  by sending many requests in parallel.

  A better idea is to pipe the error log to a single inspecting
  process (like httpd-guardian).

Hmmm, that probably would be better; I'd have to parse the log to find only the entries I'm interested in, (since I don't want to block valid users behind proxies) but I'd be less susceptible to getting flooded with forking processes.

  You should even be able to create a nice page to show to the
  blacklisted users.

Already planned! As well as sending an alert to the syslog so that we know what's happening.... which i believe your script already does.

Thanks Ivan!

--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934