@cwebber localhost only is not good enough, and the full IP blacklist is quite hard (especially considering IPV6, 4-in-6 etc).
Remember the guy who made his garage door respond to GET requests..