Something I’ve had reason to play a lot with over the last few months is Security Onion, a free and open source product that frankly compares damn well to a number of *very* expensive proprietary products.
It requires no small amount of Linux and tech knowledge to start digging into, but you get an ELK stack, full packet capture, a number of GUI options for visibility into network and file system alerts.. it’s really neat.
I struggled to get my ELK stack working properly but the eventual culprit was memory: I’d recommend a minimum of 4-8 gigs of RAM.
I’m now looking into ways to build cheap nsm sensors out of something akin to Raspberry Pis, but I don’t know how feasible that is yet.
Hardening SSH can be a challenge, but it’s critical to get done.
OpenSSH is the administrative tool of choice for any good Unix/Linux sysadmin, and every bad guy in the world knows it. There’s a lot of scanning constantly looking for low-hanging fruit like misconfigured SSH services.
There are a number of automated banning tools that check for bad behavior but I like fail2ban as it’s flexible and extensible. Configuring fail2ban requires adjustment and testing but can be comprehensive. Certainly sshguard and denyhosts are solid options and if you’re only looking for something to monitor ssh, those are a great way to go.
Note: This a guide to one security tool. You are responsible for securing and exposing a service to the internet. I would not put a fresh box up with ssh open on the internet with only fail2ban installed, for example. (You might also want to harden the service directly.)