There are several ways, one of the better ways (IMO) in my opinion is to do so thru your cPanel or Plesk panel whichever you use.   Just use the ip deny feature. 

Here is what i do and it has worked fairly well..  but you need to understand that this is a hardcore, above and beyond way of doing it and you will end up blocking good customers.  But there is no way to have your cake and eat it to, drastic times call for drastic measures. 

What i do is i watch my error log, if i see an ip that is trying to run some strange script or repeadedly looking for a file that does not exist or other strange behavior, i handle this in several phases.

IP's are in several segments,  1.2.3.4  example: 999.999.999.999

A.  if they are in fact running a script to look for holes in my script i  deny 1.2. 

B.  if i am not 100% sure i use a find ip location site and run the ip, if its from a country that i dont care if i get business or not then i deny 1.2.3.

c.  if i get repeated issues with a certain ip segment example 999.   then i will deny the whole ip range.  example 999.  which will deny anything that begins with 999.

you will start seeing alot of messages in your errror log that says they were denied by server config, thats is what you want.

Remember that nothing is perfect and again you will end up blocking normal visitors but there is no easy way to make everyone happy. 

You will have to be diligent and check the error log every day as i do and like me you will eventually see the issues go away.

Yes they can use proxies but remember that many of these idiots or bots are from countries that getting a new ip is very very hard to do, so they are limited to a certain range and if you deny that range they cant get access.

There are websites like this one http://www.ipdeny.com/ipblocks/ that have ip's from different countries that you can just copy and paste into your htaccess file.   But you have to ask yourself, do you really trust those lists, i dont... besides you will end up with a htaccess file that is a mile long and you dont want that either, all you want is to deny the ip's that are bothering you, not all ip's of the world that never affect you.

Also remember that there is no designation that says that a certain ip is just from one country.  That means that if i deny ip 999.   that ip 1st position could come from USA or africa or india or any other country... But i do this becuase i am tired of dealing with them and i fight dirty lol...  Its worth the risk to me..

I also have information available that if they are valid visitors they can contact me and i will rework the ip deny to allow them.

+1 to daves reply