If you can't wait to get started using the plugin:
The Brute Force Stop (bfstop) plugin monitors each failed login attempt, and logs it to the database. If the number of failed login attempts exceeds an amount given in the configuration, the plugin will prevent any further access to Joomla! from this IP address - meaning the assumed attacker can not try to login anymore; he will be blocked from accessing your whole Joomla! installation, he only sees a (configurable) message that he has exceeded the number of allowed login attempts, and is therefore banned. The ban can be configured to be either permanent or to last a specified time. In addition, the plugin can notify about the remaining login attempts (before blocking the IP addresses), and can add a delay after each failed login. It can also send out notifications for each or a limited number of failed login attempts per day.