If the user can not be authenticated by any combination, logs its IP address to limit it by fail2ban
diff-Combination.diff
Here the patch I propose. It works but I never develop in Perl, so adapt it if you want !