What i would suggest is that keep a webconfig app settings key that has the max threshold login attempt count. When you land the login page(for the first time) create a session variable that holds value as 0 . On successive login failed attempts, increase the session value and check for the max threshold using the app setting key, then block the user in the database.
If you want this to limit based on the time, you could refer the below link
http://stackoverflow.com/questions/355602/locking-out-a-user-in-an-asp-net-custom-membership-provider[
^]
In membership you have two properties
maxInvalidPasswordAttempts
passwordAttemptWindow
You can use them.