0. You can use something like cloudflare. At the same time the hoster to change, just asks such questions.
1. In fact, from the use of these services is of little use, better see paragraph 0 then, too.
2. Is fail2ban, for example, it is possible to write rules depending on the application. And it is not necessary to includethe with nginx, it is better to block at the firewall.
3."Rebooted nginx, but the villain and then tarabana on nginx! Why? Did I incorrectly ordered?"
Nginx does not use tcp wrappers. And it's not a level lock system as iptables. This is an attempt to give a General configuration for the program but only works for those that support it. But the fact that support need, often, to be configured for this mechanism. I recommend to read about what it is all about, and how it works.