Bruteforce protection - login lockout

It would be useful to have bruteforce protection for login form: in case of several (3-5) incorrect login attempts user IP address should be locked out for certain timeframe.

What do you think - does it make sense to implement that on apllication (WriteFreely) level?

Otherwise I am thinking to write a fail2ban rule for WriteFreely

Hello!

I’m running 0.11.2 behind NGINX reverse proxy, but it seems that WriteFreely is not logging the source IP address of the requests, so how can we write a fail2ban rule?