Another enhancement would be to have named ACL instances (like there are for plugins) so that you can have an instance that is the permitted range for staff, one that is the permitted range for the client portal, one that is for disabled.
That way you could have named instances for
- Internal staff,
- Homeworking staff,
- Client A,
- Client B ..
- Client X,
- disabled addresses
- etc
that you can enable and disable as required without having to edit a single list so when client X leaves you can easily see how to block their access.
On the subject of ACL you could also add geo-ip limiting to quickly block access from other countries/ only permit access from a list of countries. Its not 100% protection but it may go a long way to minimising.
Failed attempts should be recorded in a log somewhere for review.
One for the feature requests list...:-)