Drupal - Is drupal safe against brute force login attacks?
As you can see in the code, the function user_login_final_validate register a flood event. That means if a same IP try to connect a user/login password many times we will be "banned" for a while.
This is one of the protections that Drupal offers. Another one, and I think if its happens to your web site you will notice it very fast, it's the CSRF token that Drupal generate for each form.
This means that the attacker bot should generate the form, then get the token and associate it with the submit form. That is very time consuming and will likely discourage the attacker. But first, you will see your server starting get hotter.
In addition to the good measures that Drupal 7 implements for stopping login attempts, I would suggest installing Spambot module, that deals specifically with new user registration attempts.
At every new user registration, that module will query Stop Forum Spam server to see if the user attempting registration is a known bot.
You can optionally contribute to Stop Forum Spam with your website's registration attempts.
There is Flood control
This project is intended to add an administration interface for hidden flood control variables in Drupal 7, like the login attempt limiters and any future hidden variables.
The functions to define and interact with core flood control system
The flooding system provides us three functions:
flood_register_event($name, $window = 3600, $identifier = NULL)
Register an event for the current visitor to the flood control mechanism.
flood_clear_event($name, $identifier = NULL)
Make the flood control mechanism forget about an event for the current visitor.
flood_is_allowed($name, $threshold, $window = 3600, $identifier = NULL)
Checks whether user is allowed to proceed with the specified event. Basically, we check if a user has access by calling flood_is_allowed. If it returns FALSE, throw an ‘Access Denied”. Whenever a user performs the action we call flood_register_event.
By default it checks the user's ip adress. But we could pass some other unique identifier like the user id.
Above copied from Playing with Drupal’s flooding system