If you are worried about load on your servers, then it certainly seems like it should be possible to setup syslog to send your logs off to some other system in the path. I can't give you the exact details, but it certainly seems like it should be possible to have all your logs gather to a central up-stream host which will perform any required intrusion prevent steps.
You can also setup iptables on the box to rate limit the number of connections. This in addition or in place of denyhosts/fail2ban should cut down on a lot on what those apps need to actually respond to.
See: Hundreds of failed ssh logins