I have read here and here that tracking the failed login attempts should be done on the user.
"If anyone tries to log in with the username/email
somone@example.com
X wrong times. I block somone@example.com
"
Why shouldn't I do this based on IP ? as anyone can block my users by knowing only their usernames/emails. Why shouldn't I do it like :
"If this IP tries to log in with any username/email X wrong times. I block this IP" ?