The article fail to cover the standard pam module pam_tally. It locks for
some time an account being attacked and is very simple to configure. In my
debian server I put
account required pam_tally.so
auth required pam_tally.so deny=5 unlock_time=300
That will lock an account being attacked for 300 seconds if password
failed 5 times. It is effective for all services using pam authentication,
like imap and authenticated smtp. Just warn users that they will have to
expect 5 minutes if they fail to log in for 5 times.
Also, with any brute force attack counter measures, in a multi user system
one must be sure that passwors are strong (if some user chooses as the
password its own username, chances are that the account will be cracked in
a single try). One cannot rely on advising people to be responsible.
Therefore, password cracking tools like john the ripper are very useful.
That should be covered in the article too.