I'm assuming that the login table stores the login name/PW. I suppose you could have a separate table store known IP addresses for a user (though this would give you a bigger performance hit at authentication time).

Anyway, storing user name/IP pairs gives you the ability to parse that data and look for suspicious info. One name that is connected to a large # of IP addresses (esp if they are from multiple domains) is probably indicative of one user sharing his/her login/PW info. One IP address (or range) that is associated with a large number of user names is indicative of a user going nuts with the registration system

This is pretty obvious stuff, but it's the first thing that came to mind.

Oh, and I think that having a central authentication server is the right way to go.