I've just discovered a 3.4 megabyte error log for my default web site. 16 hours of continuous probing for vulnerabilities, all from one of four adjacent IP addresses in Maryland (our of a single /24).
Now, I can understand script kiddies using automated software they don't understand to scan IP addresses at random, but I mean, really! 16 *hours*? What part of "access denied" don't they understand?
(I am absolutely convinved that, even if you have only a single web site on your serer, you should configure it with virtual hosts, and set the default web site up with a "deny all" directive. This stops the automated IP address scans cold, and 99.99% of the script kiddies simply don't understand why they can't even connect.)