You can watch your systems by systematically scanning them with some stock and some add-on packages that are all readily available and free (as in liberty and beer). With the automated and watchful assistance of built-in baseline tools such as RPM and MD5 fingerprints, lsattr, and logwatch, combined with add-on freebies such as chkrootkit, Portsentry, and other related tools, you can do a good job of keeping things in check. Some of these tools watch for outer preemptive signs of attack, while others watch the inside of your system and flag you when something's gone wrong. Having balance here is important.
To keep from getting hacked, you should employ foundational security elements to make your house of cards into a buttressed fortress, impervious to such attacks. This takes incrementally applied security steps such as strong passwords, up-to-date system-wide patches, auditing and minimizing of network-facing services, as well as the scanning and reporting intrusion detection practices that we've focused on in the bulk of the chapter. Without all of these elements, measures such as NATed firewalls and fancy NIDS systems may be a house built on sand.
When systems do get hacked, there are things that should be done in a specific fashion, depending on your particular system configuration. If you have a bit of time, forensic data should be collected, archived off site, data saved, and the system reloaded. If there is active destruction, you may need to actually pull the plug, clone the drive for evidence, and work on salvaging data from the clone. Regardless, such systems can no longer be trusted, and must be taken down one way or another. Make sure you don't reinfect yourself in the data migration process.
If you follow the rules for building your systems upon a strong and secure foundation, keep an eye on them by monitoring various aspects of their inner workings, and don't trust in single-vendor, shrink-wrapped security products that promise the sky, you should never have to worry about collecting evidence of an intruder or doing mass data migrations, with your boss screaming in your ear.