Bruteforce protection - login lockout

It would be useful to have bruteforce protection for login form: in case of several (3-5) incorrect login attempts user IP address should be locked out for certain timeframe.

What do you think - does it make sense to implement that on apllication (WriteFreely) level?

Otherwise I am thinking to write a fail2ban rule for WriteFreely :blush:


Iā€™m running 0.11.2 behind NGINX reverse proxy, but it seems that WriteFreely is not logging the source IP address of the requests, so how can we write a fail2ban rule?