3015
No gain, without drain!
It is possible to tighten the module to tidy, which may lead to discomfort for some users.
But in general the module is doing a great job and still indispensible.
How much discomfort will be there for all the users, if the site gets hacked or flooded with SPAM?
A little 'collateral damage' or some 'deads on friendly fire' seems acceptable, altough every one is one too many.
IP banning is like the dead penalty, but it is one of the most effective ways to stop further attacking. If you would have a setting, like the dos setting to exclude modules from it, but then to allow a module under all cicumstances, you could eg allow always the contact us module. So users could always give feedback on their problem. But I'm afraid that would make the Protector module total useless on both the security (Full XOOPS with one module loaded exposed) and SPAM (abuse of the form).
No matter how you turn it, hackers and spammers degrade the interactive internet and it will always be a delicate and fine balance between the two evils: user friendliness with no barriers and useless, or usefull and user unfriendly due to the security measures. As example take a guestbook, one where everyone can post by filling a field and push a button or one where you have to fill in a captcha or need to login.
But I agree, XOOPS should have some of the protection mechanisms of itself and not have to rely on a module.
But for the time being, I can only recommend to use the module. Check regulary its logs and correlate it with the Apache logs and adapt the settings in case of problems.