We have rate limiting for login attempts on the web interface. We
should extend this to the xmlrpc and rest endpoints. The API endpoints
are another mechanism for passowrd guessing attacks.

We do have rest rate limiting, but that's to prevent misbehaving
clients with valid credentials from using excessive resource.

This ticket is for limiting connections with invalid credentials.