Thank you MacManX for your response. I still have a question about it.
I noticed that every computer in the botnet tries only one or two times and then switches to another IP if he is rejected.
Now, in my configuration at the moment, all IP’s are rejected after two attempts in one minute except for the white list.
With the tool you suggested only the failed user-ip is blocked so the next in the botnet can try again. So the process of the brute force attack is not disturbed because the next in line is not blocked.
Or do I mis something?