protect Linux user accounts against brute force attacks

This will be implemented next. Rationale:

  • preventing compromised user accounts (such as www-data) from bruteforcing other accounts
  • short passwords secure against “online” attacks

Please suggest pam_tally2 vs pam_tally vs other pam lockout plugins.

Please also suggest defaults. After 5 or 10 failed login attempts, lock the account forever and require the user to boot into single user / recovery mode to unlock?

5 or 10 attempts are not enough for any reasonable burtefoce? Even a common word plus a few numbers would be secure enough?