check out http://www.networkengineer.biz/ExecutiveADS/index.htm
and get the free Perl software HTTPD::ADS

Defend against attacks coming through open proxies and all brute force password attacks.

That's an interesting link.
Too bad it's not at all usuable for an adult site as-is.

Problems:
It just tries to detect open proxies.
While many attackers may use open proxies,
the very page you linked to admits that MOST
most attackers don't use open proxies.
It's much more effective to detect the attack itself.

Performance would need an increase of about
2000% to be usable on a typical porn site.

You must install it as root, so most of us couldn't
use it even if we wanted to.

It does not even attempt to deal with most of the problems
that even crappy old services liek PennyWize do,
so you'd still need Strongbox or something similar to
deal with those issues. Once you have Strongbox
on their to deal with password sites, all of your worries
about brute force attacks and all are gone,
so there is nothing to be gained from the
software you mentioned.

Strongbox, on the other hand, actually detects the problems
of brute force attack and password sharing directly,
rather than on the basis that some such attacks come through proxies.
Strongbox does not require your server administrator to
install it. In fact, I'll install it for you on any shared hosting account.
Strongbox is comprehensive, taking care of all of these related issues
so you don't have to have variouys pieces of software
watching out for different "signs" that there might be an attack.
Strongbox is scalable to the level of traffic that only porn sites
can produce. At a site using 5,000 GB/month, Strongbox will
use less than 1% of the CPU time available.

No, actually it detects ALL brute force password attacks as-is.
It just waits longer to declare a bad guy when its not an open proxy (3 tries is suspicious , check for open proxy; otherwise let'm have 10 tries...these numbers are configurable on a per-install basis).

As for the rootly powers *shrug*. Its not really something individual webmasters are supposed to put up. ITs something the system admin puts up.

Compare the result of .htaccess entry vs. blackhole route
(and this is a very simple approach; its obviously preferable
to put up actual cisco access lists on a router, or at least iptables/ipchains on the server but reject routes are portable and iptables is not...and what if you have a Nortel router).

.htaccess the webserver receives the request and processes it.
The TCP connection is fully open -- using resources -- and the webserver has to parse the request and go through all that processing to decide that no, actually this is not permitted and uses network bandwidth to send back the 403 forbidden.

put it at the network layer and now TCP can't fully open the connection. Nothing ever hits the webserver software itself.
The os uses less resources .

Yeah, there's room for more features and so on. No question.
He had to start SOMEWHERE. He's off writing up his results for publication and will return to feature development afterwards
(so he gets more results and can write another paper of course).

Best to discuss this with him directly via the email in the presentation.

Oh yeah performance -- that's been improved but not released yet... RSN...its on MY system 'cause thats where he tests it