Be aware that attackers can use the lockout feature to cause a denial of service attack.

This is why I think it's better to make the system slow down instead of just barring access. After one unsuccessful login, make them wait a second before trying again. After two, make them wait three seconds. After another, nine seconds, and so on. This prevents brute-force attacks by making them time-prohibitive while not noticeably slowing down a legitimate user who can't remember which of his three passwords he used for your service.

Take a look at Tie::Scalar::Decay for an easy way of implementing it. I suggest putting Tie::Scalar::Decay values into a hash which is keyed by the IP address from which the login attempts are coming, and the username they're trying to authenticate as.