Mitigate brute force attacks on login page

[eluser]CroNiX[/eluser]
People get 3 tries on passwords on my servers and then they get locked out by the firewall for 20 minutes for the first offense and then 24 hours for the second if it occurs within a 24 hour period. I use scripts that constantly monitor the php and apache error logs (and other logs) for bad login attempts and other risky activity. It's much better to block at the firewall level rather than the script level as they won't even be able to get to the script (or anything else on the server) after being blocked by the firewall. If you block at the script level I can just hit you over and over with multiple attempts and still be able to slow your app/server down with processing the requests, even if they ultimately get rejected.