You can use active-response in OSSEC, if you have access to your firewall (not from inside jail, yet). OSSEC-host-deny would work in a jail.
You could use fail2ban on host for active-response, and OSSEC without active-response on your host and jails.
You could replace fail2ban with OSSEC and activate active-response on your host.
No need to install OSSEC on every jail, you could include logs from jails in your ossec.conf on your host system.
Would be great, if OSSEC is integrated into PCBSD.