Thanks olivierlambert & julien-f for your responses
In a test we're not able to confirm the 2-second-rule against BF-Attacks.
Anyway, for us the goal would be to manage/control the failed attempts
with our familiar fail2ban-environment.
Is there a way to fit wrong login-attempts with a different http-status?
Best regards
nullpunktnull