In order to answer your timing question it's important to understand how blacklists really help you. Blacklists are a great way to slow-down attackers and work great when triggered appropriately. Even a 30-minute blacklist can really have a huge impact against any type of automated attack. There are tools like fail2ban (link below) which can easily help you automate your blacklisting based on malicious behavior. Likewise there are tools like ipset (link below) which can be used with iptables to create large black-lists or white-lists than can easily block or allow tens of thousands of IP's with almost no impact on performance.
But back to your question on timing. Every site will have different needs and different requirements but as a general rule of thumb I group who I blacklist into three categories.
1.) IP's that will never have a need to connect to these systems
2.) IP's that are doing really targeted harmful stuff to these systems
3.) IP's that are scanning or doing something less harmful but are still annoying and may include a customers infected system.
and based on these groups (yours may be different) I set a variety of different block times. In this example I use the following block times based on the groups above.
1.) Forever
2.) 24-168 hours
3.) 30-60 minutes with 30 minutes being the most common.
This said I would also take into context what activity you are blacklisting. If an organization has a public website but I see attacks brute-forcing secure-shell or a VPN server (something that is NOT meant to be accessible to the general public) I don't mind blocking that type activity for much longer on that port or protocol. Likewise if I see an IP address really hammering a site with tens of thousands of attacks or repeated activities for days that IP gets blocked for a longer time.
So in some sense there is no cure-all answer to your question but I do see lots of very large name-brand companies blocking for at least 30 minutes to disrupt the automated attacks and I highly recommend doing this because it gets rid of a lot of the brute-force scanning that ultimately effects all sites.
Note: With the #2 group it is also wise to send an abuse e-mail to the bad actors ISP CC'ing the IP owner and/or domain owner. Frequently this helps resolve the problem after a few days and if not you can always promote that IP to group #1 if you have too.
Finally I would also recommend creating a white-list of your infrastructure and also of your key business partners or critical clients. Occasionally business partners do check the security of their supply chain and you may not want to auto-block these organizations if they decide to take a closer look at what you are doing.
I think it is very wise to actively blacklist bad actors especially since it's a very cost-effective defense but I wouldn't limit your blocking to a single type & time-frame if you can avoid it. That said if you do, 30-minutes seems to be the industry norm right now.
http://www.fail2ban.org/
http://ipset.netfilter.org/
http://ipverse.net/ipblocks/data/countries/
Hope this helps.
