I have a similar question/idea, which would be auto-shutdown after 3 (or
any other number) false password attempts. The idea is to add a second
(luks) password layer if any stupid attempts are made.
My idea is to hook in the screensaver mechanism. In my install that
would be /etc/pam.d/xscreeensaver were system-auth is mentioned, so I
guess, I have to include a line in /etc/pam.d/system-auth to count
wrong pwd attempts and do some action if necessary. I guess something like
account required pam_exec.so debug /path/to/wrongpasswordscript.sh
in the system-auth could do the job, but I am not sure. Manipulating
unwisely these files may end with a lock-out of my system, so I'd like
some advice if this sounds correct to you, the qubes-community.
Cheers, Bernhard