Best WP Security Practices / WP Security Plugins?

My server's been the subject of brute force attacks for the last two days, enough to require a re-boot. My hosting service says the most accessed page was wp-login.php.

My question is, is there a simple, authoritative source that I can consult to ensure I'm doing everything I should be doing to protect my WPMU site?

Second, I see adds for WP security plugins. Does anyone have any thoughts concerning these, are they worth it?

Thanks!