We have password timeouts enabled (under Webmin Configuration - Authentication), with the option to "Block hosts with more than x failed logins for y seconds." I have been a Webmin user for many years, and there are a few things that I find confusing about this feature.
First, although the option does clearly say "hosts" (not users), I must admit that I always thought this option referred to blocking users. I do see the value in blocking a host that is attempting to brute force login to many different accounts, however most systems (including all Windows environments and Linux/Unix systems with pam_tally, faillog, fail_deny, etc.) lock out specific user accounts instead of hosts.
Of course, they both have advantages and disadvantages. Blocking hosts can prevent one bad host from compromising multiple user accounts. However, it can also block an entire network of legitimate users (since most client networks use NAT these days) due to one person forgetting their password. And, it doesn't help in situations where proxy servers are used with multiple IP addresses (such as AOL) or where an attacker can just switch to another IP address when the first one gets blocked (and then switch back when the block is automatically cleared).
The ideal situation is probably to block both user accounts and hosts separately. In other words, if a user account has a few password failures, just block that user. But if a host has a larger number of password failures from multiple users, then block the host.
Regardless of whether this feature applies to users or hosts, there needs to be some indication of these blocks in Webmin, and some way for an administrator to clear them. Since I thought that the user accounts were being blocked, I searched through the Webmin Users ("acl") module and the Users and Groups module, but I was unable to find any indication of the blocks. Under Webmin Users, I also checked in "Current Login Sessions" (/acl/list_sessions.cgi), thinking the failed logins may show up here. And in Users and Groups, I noticed for the particular account that the "Login temporarily disabled" flag was not checked. (I realize this is for something else, but it was the closest thing to what I was looking for.)
In short, it can be very confusing for an administrator to figure out how to assist a user who is blocked out from the system. Ultimately, we just waited it out until the block was automatically cleared.