Some clients try a large amount of non existing urls to test for vulnerability (phpmyadmin, …). I try to limit the requests with the following (non working) code in the http section:

map $status $zone {
404 $binary_remote_addr;
default "";
# or 200 "";
}

limit_req_zone $zone zone=errors:10m rate=10r/m;
limit_req zone=errors nodelay;

any ideas how I can do this, and block any requests (even with non 404 status code) for some time from these ips?