Hello there,
has anybody tried out a tool like fail2ban for blocking off brute-force attacks? I found the gist JupyterHub PAM Authentication Fail2ban Configuration · GitHub which from its expressions sounds promising. However, I haven’t tried it out myself. I would be more than happy with a behavior which is common in many OS: The first 3 attempts work without any delay and after that, people are blocked from logging in for longer and longer time periods. I guess an IP-based approach is the most feasible way to identify users.
Best wishes