There is brute-force tool that targets bitcoin RPC active in the wild. See this thread
Can we get an optional low volume log file to be used to report things like failed RPC requests? Ideally the format should be simple and contain the IP address, so that it can be parsed by fail2ban or other tools. I think that these failures are already logged, but I don't think that I'd want to point fail2ban at the firehose that is debug.log.
Having RPC throttling built in would probably be safer for most people, but adding a second log file seems easier.