If you have CSF installed then check these two options:

# Distributed Account Attack. This option will keep track of login failures
# from distributed IP addresses to a specific application account. If the
# number of failures matches the trigger value above, ALL of the IP addresses
# involved in the attack will be blocked according to the temp/perm rules above
LF_DISTATTACK = Default: 0 [0-1]

# Set the following to the minimum number of unique IP addresses that trigger
LF_DISTATTACK_UNIQ = Default: 2 [2-20]

Related posts:

1. How to enable awstats in cPanel
2. Junos J Series DHCP