First, rate-limit the login page per IP. Use an invisible captcha system on the login page. Then you should put login limits per IP, but you should also put login limits per user as a last resort to stop botnets from brute-forcing from multiple IPs. Send an email to the user if an attempt to brute-force their password is detected. Don't send hordes of repeated e-mails if someone tries from a bunch of different IPs. A botnet could do some serious spamming otherwise, and worse, cause an important message to end up in the spam folder. Be sure to mention that they might want to change their password, and/or upgrade its strength.
If you put IP login limits on, make the limits high. A lot of places use three strikes and you're out. That's nuts and user-unfriendly. It should be at least ten or more realistically, and when you hit it, you should get a time-based ban rather than a "Call customer support" ban. No one is going to brute force a password in ten tries. So I recommend a per-IP login limit of 10 and a per-user login limit of between 1,000 and 10,000 (high enough to frustrate denial-of-service attacks, but low enough that a botnet is unlikely to have cracked the password yet). You should have some form of alert to the sysadmin/on-call pager that there's a botnet at work that triggers long before you hit that threshold though. (Keep a count of failed logins for all users and individual users, do a rolling average, and alert if it crosses either threshold. Remember that if someone has a sufficiently large user list, the probability of succeeding for at least one account across the entire user base is roughly the same as the probability of succeeding by attacking just one account.)
Block obvious attackers at the firewall. Expire the bans after awhile. Be sure to make it so that customer support can unban someone, but make sure the ban is somehow linked to the offense. You shouldn't be unbanning someone who's attempted to break twenty different user logins or something. Judgement here of course, because script kiddies with not-at-fault family members and grandmas who have been taken over by botnets can certainly manage to get themselves IP-banned.
If you actually have time to do all that, you'll have a first-rate login form. I doubt you need that much.