I’ve better documented existing defenses just now. Please have a look here:
Which are attack scenarios / threat models remain in which cracking a linux user account password could still be attempted? Which compromised linux user account could try to bruteforce the password of which other linux user account?
Once we have an answer to that, we can add more defenses and/or consider pam-cracklib.