Recently I created a quite sensible application using symfony 1.4. As many people, I chose sfDoctrineGuardPlugin as authentication/password recovery/account managing system. But even with this piece of software, you are still vulnerable to bruteforce attacks.
I though of hacking sfDoctrineGuardPlugin's code to create some rules and attack detections. But those systems are quite tricky to create and calibrate. It must not be too aggressive nor too permissive. I wanted something that can bail out someone after $some tries in a $certain time. That implied that I would have to record every try with the current time, and calculate a ratio within which a user can login or not. I seemed simple, then it got too complicated.