the built in "adaptive firewall" on 10.5 server does what you describe.
i'd still recommend having a separate physical firewall handling security, though.
at least for ssh, you can port forward or run the service on another high port to eliminate most, if not all, of your ssh dictionary attack attempts. doing either shouldn't have any effect on server admin usage.
i don't believe making any changes to the tcpwrappers config files will affect httpd configuration.
also, adding denied hosts manually is like fighting against the tide. i don't recommend it. for servers i administer, i usually deal with this at the firewall level and then supplement rules with a deny all for sshd, only allowing ssh access from certain hosts (like my home network or the office, etc.) that should be safe. at the worst, i can always hop through one of the safe hosts to the client server if needed. a large hosts.deny file won't slow anything, but i would advise against manually editing it to the point it gets large, anyway.
another option is a hardware firewall (standalone appliance or something like iptables or pf running on linux, freebsd, openbsd, etc.) that also offers vpn access. with vpn, leave only 80 and 443 open, if those are the only publicly available ports you need, and use the vpn to access everything else.
if that's not an option, check out denyhosts here:
http://denyhosts.sourceforge.net