Is there anyway to lock an IP address when Secure Sockets Layer (SSL)login has been wrongly entered for a certain times?
No. There's no way built into IIS. There are a couple of alternatives that may meet your needs.
The simplest is to have Web users authenticate to NT4 or Windows 2000 user accounts, and enable password lockouts. After x number of unsuccessful authentication attempts, the password will be locked out. This solution doesn't block a user's IP address, however, so it doesn't completely meet your needs.
It's also possible to create an ISAPI filter that intercepts incoming HTTP requests and counts the number of times requests from a given IP address include authentication information. If a specific address is attempting a brute-force attack, this ISAPI filter could manipulate the IIS metabase and institute Source-IP Filtering for that address. This meets your needs, but you'll have to do some coding.
This was first published in February 2001