I would like to suggest that serv-u includes an option to lockout accounts after n amounts of tries, say a user tries 3 times and gets his password wrong, lock that account permanently until an admin reviews the situation. (part of PCI requirements)
I believe this can be done with the "Anti-Hammering" rules that you can set up. If you block them for 0 minutes you permanently disable the access until someone re-enables it. I think it blocks the IP address rather than the account though, possibly more effective in a way.
Protecting Against Brute Force Attacks
