It is possible to build a client which sends username+password combinations as many time as you like.
.. and if you have username, it is much easier to get in.
To stop this the following can be implemented:
1) Lock user after sequential X incorrect logins
- X can be set by administrator
- if admin's own username is locked, it should be possible to unlock from console
2) Set IP to blacklist (unable to try login) after sequential Y incorrect logins
- Y can be set by administrator
- IP can be removed from Blacklist by admin and it also should be possible to do from console
3) can be also done by using "bullet time" after sequential Z incorrect logins
- when hacker has been tried Z times to login then login period will take time 10 times longer
- when hacker has been tried 2*Z times to login then login period will take time 2*10 times longer
- .. until Y is reached and IP is set to blacklist