Is there a way I can set a limit to the amount of incorrect login attempts made before a user is susspended
Instead, if you look at Administration > Security > Notifications, you will see there is the option to have Moodle email you whenever there are a lot of failed login attempts.
But if I am notified by email that there are several failed logins, what should I do to prevent someone trying to login to my admin account? Or any user account?
I know I'm a year late, but I thought I'd reply to this.
If your policy was "after x login attempts for user y, lock out user y", then yes, that could be used to maliciously lock out users.
But another policy is "after x login attempts from IP address y, lock out IP address y". This way, all that's being blocked is connections from the malicious IP address, rather than a specific username. This is the approach a lot of big applications use, such as WordPress.com. Of course, users could get another IP address through something like TOR, but doing this still makes brute forcing password attempts painfully slow.
The only thing you have to watch is proxy servers, which, as we know, are widespread in education. If not properly configured, Apache (and, by extension, Moodle) could see every connection as coming from your proxy server's IP address. If there were a few incorrect logins coming from anywhere in your campus (which, knowing students, is likely), you could block access to Moodle from anywhere in your campus.
Since we're a big college and we use LDAP for logins, I'm going to be looking for a solution to this problem, probably using Apache/PHP logs and fail2ban.
Tim has outlined the options within the moodle admin interface. At a server level, you could always install, configure a firewall and login failure daemon - this will detect suspicious activity (such as repeated and rapid failed login attempts that may represent a brute force attack) and subsequently block a said ip address. This might be overkill bcs if many users route to the internet via the same ip, they all get blocked from accessing the moodle. Naturally, you can add trusted ip addresses to a whitelist so they never get blocked.
We authenticate back to Active Directory. Password and failed logon attempts are treated the same as failed attempts to log onto a computer. 5 incorrect passwords and the account it locked for a pre-determined period of time.