As an experienced sysadmin with a security background, I use Hiawatha precisely because it doesn't require a buttload of hacks to secure, unlike a lot of other web servers I've worked with. That's not a dig on them so much as a compliment to Hiawatha; it makes my job a lot easier. The only reason I'd recommend something like fail2ban is if you're exposing more than the web ports through the firewall. In that case, it's mainly to protect other services (e.g. SMTP, SSH) from brute-force or badly behaving clients. Hiawatha does a better job on its own, and uses fewer resources. If it was me in your shoes, I'd skip the firewall so you can utilize that memory & CPU time for more interesting things, and let Hiawatha (and your upstream firewall) take care of the Internet nastiness.