Can the default settings be overridden? 

I would like to change the default to 3 invalid attempts, and set a longer time for the lockout duration, 10 minutes is not really effective. 

I have gotten 437 emails for bad login attempts today, I know I am under attack. Can entire IP blocks be banned, or do black listed IP addresses need to be done 1 by 1, (way too exhaustive a procedure).
I know I can block them at the firewall, but I would like Xeams to just reject the connection......