Authentication attempts should be logged and/or limited

[areynold]

Authentication attempts made against to /cgi-bin/luci/admin/ and ssh are not logged or limited in any way. An attacker can brute force passwords without any limitations or outward indications to a device administrator.

Lock out authentications after a number of failed attempts. Log failed attempts and present recent failures to the device administrator upon successful authentication.

Originally reported as iSEC-COMMO13-8

[jheretic]

Partial fix for SSH: https://forum.openwrt.org/viewtopic.php?id=44479

[dismantl]

what is a good limit for # of authentication attempts before lockout? And how long should the user be locked out? In #116, the limit is set to 4 attempts and a 180 second lockout. Is that reasonable?