First off, i'm not making things up. I have built web services and seen many configuration options. You seem to be tackling on minor details now on things you could have thought of solutions yourself too.
What does bots password guessing have to do with humans?
Ban IP for 10 hours or ban user, that's minor details. ISP's dynamic IPs usually change at frequency of once per 24 hours, but may vary alot. I used to have same IP for many weeks. Getting 1 user a "access denied" for preventing 1 hacker would be perfectly acceptable trade any day. User can request his password to his email if its lost, no system will let you attempt it more than 10 times, normally just 5.
It doesn't have to be an automatic shutdown. Or don't pull the plug and let system get hacked with all user database stolen, yay! I'd rather stop the system, call the police and see what they can do about the ongoing attack. Doublecheck security settings, maybe change admin passwords and if all ok, restart.
I would consider it an additional layer of security that makes hackers job even harder than if there was no whitelist. Coming at the cost of less admin access though, but still worth it.
Bookmarks