Rob will have to pipe in with any details. I'm pretty sure the settings are not configurable, and I know there are initial throttles that back off for shorter periods of time (10 minutes or so) eventually followed by longer periods (1 hr or so) eventually going to 24+ hour chunks. The general idea is to ward off brute force attacks while allowing honest users back in. If you couple those algorithms with any form of reasonable password, you're in great shape to ward off attacks.
It is possible to use this in conjunction with fail2ban where more specific rules can be defined but in general, if you've got descent passwords, the responsive control should give you everything else you need.