When I look at our IDS blocks, the vast majority of them are on IPs identified as being from foreign countries.  I'd like to set our block thresholds lower and have the blocks last longer for foreign IPs than for domestic IPs, but there isn't a way to do that right now.  If I lower our block thresholds any more than they are, we begin blocking legit customers... typically offices with multiple employees behind a single IP.  Since we have no known legit traffic outside the U.S., yet our server is constantly being bombarded from IPs identified as being from elsewhere, it would seem that blocking those IPs after fewer attempts and for longer periods of time would be a good preventative measure against brute force password cracking.

Thank you for your consideration,

Dave