How to prevent brute force attacks on ajax form submission?

Suppose I have the file login.php.

login.php takes get (or post) parameters username and password and return true if login successful and false otherwise. This way other pages can access it via ajax.

My question is, since this method is vulnerable to brute force attacks, how should I secure this. I'm thinking of making it refuse access unless it is from my own site's form, but how would you go about doing that?

I use jquery to make ajax calls.

Brute force is much harder than you think. If a person is using a bad password, it's their problem. Even a weak password (8 characters) would require 2 years of brute forcing if the attackers can do million attempts every second. You have many options:

1. Limit the number of login attempts per username per five minutes. This requires a table in your database where you keep the requests and their time for the last 5 minutes, more or less. This has the unfortunate side effect of allowing someone to (D)DoS one of your users.
2. Limit the number of global login attempts... This is easier but can make DDoS of your entire server easy. I wouldn't do it.
3. Limit the number of attempts from an IP or from an IP/user. That wouldn't allow an easy DDoS, but it won't stop a distributed brute force attack, so don't bother.

I'd do the following: Require passwords of 10 characters or more. Scream if they aren't strong enough, or are based on dictionary words (but still allow them). Log when there are too many login requests and investigate personally as soon as possible.

All of this happens on the server side, and has nothing to do with AJAX.