I would suggest CSF and I can help you - the install process is easy and it watches everything.
And if you later have more servers you can configure it to cluster and block i.p.'s across your cluster.
It notifies you of ssh access, sudo su access.
I have directories that should never change (web) it watches them - if potential hack does occur I know in real time.
It beats LxGuard every time. I have LxGuard set to 5 - CSF to 10. CSF always blocks the i.p. before LxGuard. I think it deals with when and how frequent it reads the logs.
Memory is minimal - processes are minimal. (although it is running so it does take a small footprint)
If you need help let me know. There are some rules for csf.pignore Kloxo specific so you don't get a million emails about "suspicious process".
I learnt most from hours of research and trial and error. But I know that CSF blocks about 10 i.p.'s a day (temporary blocks) for port scanning. (10 hits on ports not available)