are you sure it's the same person? (or same 'thing'?) it can't be from one person, so it's either automated or from lots of different users.
if it's automated and it's switching IPS then i wouldn't bother blocking anymore. you'd be there all day, and you might just end up blocking a load of people that you want to keep.

i would just make sure that the file is secure and not worry about it.

but the name 'modules.php' sounds like something that might get delivered on every visit. what is in it? are you sure that it isn't just getting delivered to everyone who visits your site? or to everyone who visits a particular section of your site?

[edit --] if the page is just being referenced in your php script, then you could simply change the name of the file to something else. that would stop them. or if you feeling a bit braver, then you could move the page out of your root folder. because they won't be able to access it at all then, even if they know what the filename is.
but if it's an actual link that is in the search engines then obviously you wouldn't want to touch it

Rename that file to something else, and point all your scripts to it.
Create a new file with the same output as the original file (but all random crap in there) and put it in the place of the old one.

By the time your hacker figures it out, he would have gathered so much crap he won't know what to keep and what to trow away. :p

I am sure it is the same person because they will hit the file with one ip over and over until i ban it, then 5 to 10 mins later they will start again with a new ip..

The file is a key script on my site but it is never called like they are calling it:

"modules.php"

its normal use is

/modules.php?name=module-name&op=op

I would change the name but most of the scripts in my CMS reference that file so it will very hard to change them all... also there are links in search engines to it like:

modules.php?name=module-name&op=op

Im guessing they are trying to log in or something, they are posting using a GET. is there any way for me to see what they are posting?

Also how can I tell if the script is fully secure? can I post the contents here? the file comes from a wildly used open source CMS.

Im going to set up a script to automatically catch each new ip and redirect it, is there any site set up to redirect hackers to?

Instead of doing it by IP you could do a rewrite rule that would act if there's no querystring. Personally I'd just do a 403 but I suppose you could redirect back to the originating IP. Whatever bot it is probably won't follow a redirect though.

is there any way for me to see what they are posting?

Add a little programming that logs all input *before* cleansing. Open a plain text file somewhere, append it, monitor it closely, it will reveal what they're up to and how to stop it.

Probably a bot.

Having gone through a similar experience myself I can tell you why you possibly have multiple IP's trying to access it. I had a modification on my forum that could be easily found through search engines by the filename , this modification had a vulnerability. Once it became known for about 3 weeks I was getting hits on the vulnerable file over and over for about 3 or 4 weeks. I didn't check the IP's but I'll assume they were from multiple sources. Fortunately for me I was aware of the problem and had fixed it a day or two before this began.

This sort of behavior is the one of a sort of virus attacking CMS and replicating itself as a worm does. It must be a web attacker which is updated very quickly (and automatically) as soon as a new CMS vulnerability is discovered and which is coming from all the infected websites.
In my case, the virus doesn't try to post anything but tries to exploit hundreds of known vulnerabilities or find new ones (it also attacks pages indexed as getting variables in the URL) to have perl and php scripts (about twenty different names and scripts) executed - these scripts would copy the virus/webattacker in a (hidden) directory, modify the site, add javascript in pages...
I may be wrong.

how can I set it so that if there are no query strings it will redirect to the homepage?

this might not work (i'm a bit rusty) but you could stick this at the top of the modules page

if(!isset($_GET['blahblah'])) {
header('Location: [website.com...]
}

obviously you would change blahblah to whatever the variable is that you are testing for. if it finds that there is no value for the variable, then it should send you to the new page.

headers have to come at the very top of the script though-- before the page prints anything out-- so make sure it goes above the DOCTYPE, and everything else.

if(!isset($_GET['blahblah'])) {
header('Location: http://www.website.com/');
exit();
}

Adding an exit will immediately stop execution of the script when the condition is met, take a small amount of load off your server, and keep it from dumping other info back to the bot.