Let me tell you something other people have done before
that you might want to adopt

1) restrict ssh/afp access with in campus, so VPN is required
2) replace password authentication with public-key authentication
3) denyhost like anti-attack tools which keeps password scanners away
since they got denied access after couple failed logins.
Though nowadays people use botnet to dynamically change the source IP,
the denyhost maintains a list of such bots so people can
actively keep those people away. It works like the spamlist idea.
4) Pretend yourself as a hacker. Use security scanners and see if you
could penetrate.
UCSD ACS uses nessus daily to find security holes of machines in UCSD domain.
Others run 'john', a dictionary/bruteforce password guesser, to figure
out easy password of users in the system so they can be warned.

5) Monitoring the system log actively.  It's a battle between sysadms
and crackers.
Every security measure has counter measures. There is no single
methods that works forever.
Actively monitor syslogs to identify suspicious activity. It takes
days for naive hackers who use password scanners to penertrate.
This also help you notice system failures before the users complain.

6) subscribe mailinglist of system updates and hacker tools updates so
you know the advances of both the white and the black forces.
Then you can take action to update the system and fix the holes before it leak.
An example of the black side is the mailinglist named 'bugtraq'. Many
0-day attackers got their expoits from here.