Authentication events such as logging in are ultimately handled by PAM, the Linux Pluggable Authentication Modules project. PAM is very flexible and different Linux distributions will ship with different PAM configurations.
The Arch documentation describes how PAM is set up for Arch. In 2020, Arch switched to using the
pam_faillock.so module to handle counting authentication failures (the previously-used module,
pam_tally2.so, is deprecated). The man page for
pam_faillock describes how it is to be configured, including a config file that lives by default at
Users of other Linux distributions may not be using
pam_faillock.so, but they are almost certainly using PAM. Consult the
/etc/pam.d directory (or
/etc/pam.conf file) to determine what modules are in effect for the service you're investigating, and then consult their man pages to determine how to configure them.