Limit login attempts

This makes it so that a particular user can only attempt so many logins. I choose to do per user instead of by ip address. The timeout and limit are up for debate.

I'm doing 100 attempts for 10 minutes. I also disabled admin (only used for debugging anyway) and the DRF auth view. We just don't need those things really. Less attack surfaces.

After we merge this we need to update the front-end's messaging about it.