I use fail2ban extensively with PF to block SSH, SASL, Dovecot, and Postfix brute-force and DoS attacks. I also have custom-made scripts to log all permanent banned IP addresses so PF can reload the blacklist when restarted. It works very well. I plan to add Nginx to block scanners, spiders or requests for sensitive or missing files.
Need to be careful about http as http requests could be legitimate. You can limit concurrent connections to single IP address via PF or Nginx config to block http DoS attacks. Once that concurrent connection reaches its max then you can permanent ban that IP address.