[willvarfar]

Its hard to do at application level, because you might have a multi-thread or multi-server setup.

Luckily, there's out-of-the-box solutions that are easy to set up, e.g. Fail2ban.

Fail2ban scans your server logs, spots repeat login attempts, and sets up a temporary iptables ban on their IP.

[codelitt]

I really like Fail2ban for SSH lockdowns, but I worry about using it for repeat login attempts on an application. Depending on the application, this could possibly lock out everyone in an office, campus, etc. For certain critical services being used by everyone, this could cause a fair amount of headache.