Can't do anything with IPs...it's not fair to the user. If I buy a username and password to your site from where I live (Canada), go on a business trip to China and try to login from internet access in that country, then shouldn't I be able to log in?
Reasonably, the only thing to do is only allow one login with any given username at one time - like most member sites.
Now if you get several 'successful' (e.g. correct password) requests from multiple IP addresses with a given username, while that given username is already logged in, then you can always ban it.
I've switched careers...
I'm NO LONGER a scientist,
but now a web developer...
Bearing in mind that people visiting from office LAN's can go through a proxy with a single WAN IP, so technically be careful about banning unless it's blatantly obvious there is trouble.
One approach to seeing if an account is being blatantly shared is to note the login time and geo-location of their IP such as country of origin and/or state/city. If two users login at roughly the same time, one from Canada and the other from China, common sense says it's unlikely it's one person. Just remember the limitations of banning by IP as noted earlier. Write a script that runs via cron daily, or one that prints a report and/or allows you to delete/ban those accounts. You'd geo-locate their IP and store the info in a database at registration and each login.
This is an excellent API to help you geo-locate any IP, far better than installing a server resident script and database you'd need to maintain on your own to do the same as the API.
Personally, prevention is the best approach. Everything from SSL/TLS to captcha to proper SQL injection prevention where necessary to session control techniques making sure an account can only be logged in once and sensibly idles out, etc. etc.