As of Magneto 1.9.3 magento have finally added brute force protection to the downloader folder. As you may be aware even if you have changed your default admin path ie to anything other that /admin Magento connection is still accessible at yourdomain.com/downloader. The fix for this is to rename your downloader folder or move it out of the root folder so that it is not accessable. However, in order to use Connect you need to rename and it had a tendancy to be forgotten. This means that the whole of the internet can have as many guesses at your usernames and passwords as they like.
As well as renaming the downloader folder when ever we find it we also run Fail2ban which monitors access to this fodler and will block IP addresses that fail to log in multiple times. However, Magento have now added a similar feature into the core of magento. There is a new file in var/ called brute-force.ini which monitors login attampt to Connect
brute-force-bad-attempts-count = 6
brute-force-diff-time-to-attempt = 360
brute-force-attempts-count = 3
Of course the downside is that you may find yourself locked out.
If you see
Access is locked. Please try again in a few minutes
reset the above
brute-force-bad-attempts-count = 0
and you should be able to log in.
We still recommend you remove or rename the downloader folder for more complete secuirty.