Brute force login can be stopped by limiting how many failed login attempts you're allowed to make. Rules should ideally be configurable, many options are possible:

• Maximum X attempts per Y minutes
• Lock account after X failures, optionally enable again after Y minutes
• Lock account after X failures for Y minutes, after another X failures lock for Z minutes (larger value), can be increased further

Limiting must be enforced server-side. Logging and admin notification would also be good.