You can use stick tables in haproxy if you use that to count number of logged in users to website and start denying them if there are too many.
Plone records login times so a plugin that compares how many logged in recently in order to deny a login would not be hard but I haven't seen such a plugin. It could be an additional feature to GitHub - collective/Products.LoginLockout: Prevents endless login attempts in Plone, making it more secure. if you want to add it. I recently added denying logins based on src IP range.
1 Like