Roundup includes some defenses against brute-force authentication attacks. Other defenses can be added on a per-tracker basis to the to the html interface.
Brute-Force Attack
Roundup limits login attempt to 4 attempts/minute by default.
If this is insufficient, the 1 minute period can be increased. Using the interfaces.py method, the loginLimit for actions can be increased to a longer time period, for example 30 minutes. In this case, the 4th failed login attempt will lock the account for the remainder of a 30 minute period.
If this is insufficient, additional measures such as OneTimePasswords can be added. Also RequireReCAPTCHAForLogin can be helpful at slowing down login rates.
The API interfaces: REST and XMLRPC have rate limits for authentication attacks in release 2.4.0 (July 2024). See: issue 2551063 for rate limit implementation for API authentication methods. Note that the rate limiter for REST and XMLRPC are shared. If the limit is set to 4 failures in one minute, those 4 attempts can come via REST or XMLRPC before both API's are locked out until the rate limit resets.
Credential stuffing
Implementing CheckForExposedPasswordHIBP can help prevent use of exposed passwords.
Password Spraying
Login rate limiting doesn't help for this case as the same simple password is used for multiple accounts. The best solution for this is to make sure that users choose good passwords. Implementing TestPasswordComplexity can help with this.
Device Cookie
Interesting idea is to use a device cookie to lock an account against attack while allowing login via that account from a trusted pre-known device. Implementation of this would be welcome.