First off, i'm not making things up. I have built web services and seen many configuration options. You seem to be tackling on minor details now on things you could have thought of solutions yourself too.

Quote Originally Posted by Lifepower View Post
...or, unless, that system is being used by users who are humans.
What does bots password guessing have to do with humans?

Quote Originally Posted by Lifepower View Post
Sure and prevent all legitimate users from the entire subnet access to the server. Banning IPs is a very bad idea as some ISPs serving thousands of users may have only one public IP. By doing so you've just helped a successful DOS attack, which denied access to many legitimate users.
Ban IP for 10 hours or ban user, that's minor details. ISP's dynamic IPs usually change at frequency of once per 24 hours, but may vary alot. I used to have same IP for many weeks. Getting 1 user a "access denied" for preventing 1 hacker would be perfectly acceptable trade any day. User can request his password to his email if its lost, no system will let you attempt it more than 10 times, normally just 5.

Quote Originally Posted by Lifepower View Post
...and simplify DOS attacks further to this server: just access this server from multiple IPs and it will automatically shut down, how cool is that!
It doesn't have to be an automatic shutdown. Or don't pull the plug and let system get hacked with all user database stolen, yay! I'd rather stop the system, call the police and see what they can do about the ongoing attack. Doublecheck security settings, maybe change admin passwords and if all ok, restart.

Quote Originally Posted by Lifepower View Post
I would consider such server system highly insecure because if you rely on IP address whitelist, you are immediately a candidate for IP spoofing.
I would consider it an additional layer of security that makes hackers job even harder than if there was no whitelist. Coming at the cost of less admin access though, but still worth it.