If we want users to use strong passwords, we can use pam_cracklib to only allow passwords of a certain strength.
https://wiki.archlinux.org/index.php/Security#Enforcing_strong_passwords_using_pam_cracklib
We can also add a delay after a failed login attempt by using
auth optional pam_faildelay.so delay=4000000
Which will add a delay of 4000000 microseconds for every failed login.
I don’t see how it wouldn’t be. Unless the password is like a single character, I doubt the bruteforce would be finished within 5 attempts.