Seeking advice for implementing a configurable login-delay option

[Mehran Hashemi]

Hi everyone.

I’m currently seeking advice to implement a login delay mechanism for 
login. This mechanism simply introduces a delay, which is configurable 
by the user, between login attempts, and helps to protect the device 
against malicious login connections such as dictionary attacks and DoS 
attacks.

I am aware of the recently added `PerSourcePenalties`, but I think this 
mechanism is more suitable for dictionary attacks rather than DoS 
attacks because the attacker can use IP spoofing to bypass this option 
and continue password guessing.

I will be happy to receive your recommendations and suggestions, whether 
this option could be useful or not, and how it would be good to be 
implemented.

Thank you in advance.