Configurable rates/limits

I know this is already in the list of future development/ideas, but I'd like to encourage a change to make the fraud/invalid CSRF event limits (currently 5) and 2 hour interval configurable. We had a card testing incident over the past couple days (with Firewall enabled) that was brought to my attention after payments on our Stripe account were temporarily blocked.

Out of 729 events logged in the civicrm_firewall_ipaddress table there were 649 unique IP addresses, so we're not getting anywhere close to the 5 events that would block them in time to prevent trouble. I'd like to be able to block them sooner, after 1 or 2 events, and to make that period longer than 2 hours. (I'll be lowering the CSRF timeout from the default 12 hours, 141 of those events were invalid CSRF events.)

It would also be nice to be able to block payments of $1 from Civi without upgrading to Stipe's "Radar for Fraud Teams" to add a custom rule there, but I understand that's probably beyond the scope of this issue.