I have a server where CSF/LFD blocks 10-20 IPs a day, every day. 100% of these are from China or Russia - the usual port scanning, brute-forcing, a hundred FIN_WAIT2 connections, etc.
I'm thinking of something like this:
http://www.cyberciti.biz/faq/block-entier-country-using-iptables/
CSF has a "block by country" config also but it warns that it can put a load on a VPS...I imagine some of those chains get really long given how scattered IP distribution is.
Anyone do this?