Currently the amount of logins is only limited on a per-user basis. This allows trying a set of common passwords on a wide range of users. It also forces the owners of tried accounts to enter a captcha, which is an annoyance.

Implementation: add a new table phpbb_login_ips which maps an IP (unique) to the amount of login attempts, also store the time of the first attempt. Also config vars for interval and amount of failed logins allowed in that interval.

Before login, check if current ip has exceeded maximum failed logins. If he has, present a captcha. If a login fails, insert/update the current IP. Since the table may grow, cron-based garbage collection should be considered.

Note: The solution is not perfect, such things can be distributed, etc. But it helps mitigate the annoyance caused by this issue.