Then the service
denyhosts should be a good solution. It does not care whether the client's IP changes. It only cares when a client fails to provide a login/password after 4 or so attempts. It then adds the offending client's IP to the hosts.deny for a month. If the client correctly logs in, using less than 4 tries, then there is no issue.
I use it with my ssh server at home. I can access the server from any wifi access point using my laptop, which is a dhcp client.
All the brute force password cracker attempts on my ssh server have their IP locked out for a month after 4 tries. Typically I see about 2 crackers a day get added to deny.hosts.
Denyhosts is readily available through many distro package managers.