Note: This feature may not work well on a multi-site1 installation.
When setting up your website you could have an Apache setting that let your administrators access the site via port 8888 instead of 80 or 443. Then setup the firewall to block all users except those administrators from connecting on port 8888.
It should be possible to block out all users except administrators from logging in as one of the administrator users.
This is particularly easy to do as you can put users in a group called Administrators and if part of that group, then check the IP address of the user against a list of system allowed IPs or user specific IPs (i.e. so user A can log in from work and from home.)
Whenever a user with a given IP address tries to access one of the websites in a way that is guaranteed that said user is a spammer, we want to be able to automatically block his IP address in the firewall. A plugin must allow the main system to add said IP address in the lowest level firewall to stop wasting time and bandwidth.
Implementation: This is started and IPs do get blocked here and there from the snap.cgi and antihammering.