I don't know about 'best practices', but I know of a nice app that's less resource intensive than 'fail2ban': https://github.com/sofar/tallow

Since my main concern about security is cardholder data leaks I looked into what it takes to become PCI-compliant https://www.pcisecuritystandards.org/merchants/self_assessme..., not that PCI-Compliance is the be-all end-all of web security.