It seems like it would be very desirable to have a max allowed bad password attempts for a given user from a given ip address, and then a timeout period. Both could be configured at server startup. Maybe:
So if a login attempts like root@'220.127.116.11' got the password wrong 10 times, that user@ipaddress combination would be locked out for 120 seconds. That same user can login from another ip immediately... it only blocks the login for that user from the ip address that failed multiple times.
This seems like an easy way to help prevent DOS and brute force attacks.
Can someone confirm that they would not be able to spoof an ip address and therefore create a DOS attack by locking out legitimate attempts?