https://htaccessbook.com/block-ip-address/
choose to your taste.
But I do not advise giving access to write htaccess, there will be a clear hole. It is better to configure fail2ban to parse the next log, or use php to block ip addresses, taking them from a csv file that is being filled, for example

The problem is that Apache is gluttonous, and if you are trying to protect yourself from a lot of requests with .htaccess, then most likely, these requests will already put Apache. And also, if there are a lot of addresses in the blacklist, then this will greatly slow down legitimate requests, because with each request .htaccess will have to be read and parsed, which will grow very much.
Therefore, it is necessary to block explicitly even earlier, for example, using a firewall (if you do not consider external protection methods, in which this task falls on the hoster or an intermediate link like cloudflare, and already filtered requests reach the server).
With a large volume - the black list should not be linear, because. time O (n) obviously does not suit us, checking for the presence of an address will take a lot of time, for example, ipset will help, storing marked addresses in the form of a hash table.