As of KCM version 2.9.6, KCM can be configured to limit a user's ability to login after multiple consecutive failed login attempts. This blocks brute-force login attacks on KCM instances.
By default KCM will lock a user out of logging in for 5 minutes after 5 failed attempts
Use the following properties to change the login attempt settings
ban-max-invalid-attempts
The number of invalid attempts before a user is locked out
ban-address-duration
The amount of time in seconds a user is locked out for after hitting the invalid attempts limit
ban-max-addresses
The number of addresses that KCM will track to check for invalid attempts. Defaults to 10485760