Others have said it before but basically : what is YOUR (not me, not your best friend, nor your colleague, etc) threat model?

To clarify that means WHO is actually trying to threaten your security?

Typical for most people it would be :

• scammers trying to get pieces of your identity or your local cryptocurrency wallet or resources they can use to repeat that on to others.

For some people, like activists or political journalists it would be :

• national actors, e.g. governments, with their surveillance apparatus, who might end up on a list with a set of conditions that would trigger some automated scan to get e.g. Signal logs

For very very few people, say Edward Snowden, who within the previous group actually did trigger some action :

• actual team of hackers trying to hack into their devices

So as you can imagine if you are part of group 1, 2 or 3 then way you will protect yourself is totally different. What you will also have to protect is also different, e.g. if you have no cryptowallet but are traveling you might have to protect your phone physical phone and its data.

So… if you are serious about this, take a cybersecurity class. There are plenty available but how a computer works, software and hardware alike, is precisely what makes them simultaneously powerful and also dangerous. There are plenty of ways to break security (e.g. return oriented programing), plenty of ways that practically impossible (e.g. encryption) due to the very nature of computers (i.e. computational complexity) which IMHO makes this one of the most fascinating topic. Ask yourself come the credit card in your pocket (costing few bucks to make) can’t be cracked by the largest super computers (costing billions) on Earth?

TL;DR: no offense but you don’t seem to be ready for the answer without getting the basics first.

There’s plethora of resources if you want to make your Linux install even more secure than the defaults (so-called “hardening”)

I would argue that Linux is inherently much more secure than windoze, simply because of how it handles user space vs. System (root access vs. User access). Also by how transparent its configuration is and how much information is readily accessible detailing how it works and how to adjust things.

However, when talking security for anything above the average user’s browsing needs, it can get very complicated depending on what you are trying to achieve.

Think of it like building something to keep out honest people vs. to keep out hardened, knowledgeable, clever thieves. Obviously the latter is going to take more time and resources to achieve, while the need to keep out more sophisticated bad actors would probably only be needed if you have something they might want.

Here are some suggestions for searching if actual security is your goal. Others can chime in with more things if they want. This is just some topics/programs you can read about to dip your toes in.

• nftables/Firewalld (common firewalls)
• wireguard/openvpn (vpn protocols)
• rootless containers (podman)

Best of luck!

Nothin, just install your favourite distro and don’t run random command/scripts/binaries you found on the internet

Keep your user account is user space.

Avoid unnecessary root access.

So how can I as a new user make sure to have the most secure machine as possible?

Shut the computer down. That’s it; computer as secure as possible.

Otherwise, if you actually want to use your computer, google for “threat model” first.

But generally: use an adblocker in your webbrowser, don’t execute random commands/tools from the internet before you know for sure what you’re doing, update stuff now and then and make backups.

You don’t actually need “perfect” security in the future, any more than you did in the past. Windows was not perfect, right? So stop looking for perfection. Instead, look for “good enough for 99.9% of the world”. And you can get that with many of the popular Linux distributions.

Basically, install a popular distro, and keep your software to whatever is in the package manager. Don’t install random shit manually. Don’t download random software from random websites. Don’t fuck with security settings unless you read up on the topic very thoroughly. Then you’ll be fine.

Just make sure everything’s updated.

Microsoft do a good job of updating drivers and their applications, but Windows application updates vary so much.

For Linux - mostly - the distro maintainers handle all updates and just updating is usually enough.

After that it’s down to you… if you disable all the built-in protection and visit dodgy websites then any OS is going to struggle.

You can improve the out-of-box security by removing software you don’t use, improving default configurations (one size doesn’t fit all) and considering if you want additional security software - this applies to any OS.

So, to return to your question, choose a Linux distro which has regular updates and only contains applications that you use.

From a windows perspective Linux does 2 things differently which makes it more secure to Windows.

1. Like MacOS it doesn’t need antivirus software like Norton. Windows needs antivirus because DOS the OS windows is based on, had it where any program had access to anything. This is still sadly true even on Windows 11. Linux is Sandboxed, where instead of giving the program full access to everything, you just give it a sandbox with what it needs.

Unless you deliberately run a program as the admin of Linux (su or sudo), malicious code can just delete system32.

2. Linux’s is open source and while the desktop market share is tiny, there are a massive market in servers. As a result since there are a lot of eyes on the project if/when problems are found they are fixed quickly. I remember a time when a malicious actor was trying to add a backdoor into a library as a blob and it was caught.

Windows on the other hand is closed source, meaning if MS can’t find the issue, the only time it is found is when it’s in the field. To avoid downtime MS offers bug bounty programs for those who can find issues, rather than to let them exploit it.

Security on Linux is lackluster.

Generally as long as you don’t install any untrustworthy programs you’ll be safe … but there’s a problem. Linux is an amalgamation of thousands of separate programs and most of them are maintained by one guy in Nebraska thanklessly. XZ Utils is a prime example of how vulnerable the Linux software stack is to malware.

My advice: Keep your daily driver separate from your gaming machine, use a debian-based distro like Ubuntu or Mint for your daily driver, and always have a disaster recovery plan. My advice would basically be the same for a Windows user.

EDIT: Also full-disk encryption. Both on Windows and Linux you can just read the contents of a hard drive no questions asked. Windows is going to address this with TPM’s but you can just use a password. Secure-boot is good because it can help guard against rootkits.

Security is a rabbit hole.

You’re going to end up wasting a lot of time and effort on learning about something that in the end will not have a substantial impact on your computing experience.

It will make you look good in front of losers on the internet you’ll never meet, though.

To have the most secure machine possible, you might need a hardened kernel but you absolutely need to have SELinux (or equivalent) rules set up.

The easiest way to have a go at this would be to install OpenSuSE (any version will do, they all ship with SELinux ootb) and follow guides on how to setup SELinux permissions.

what i did after install mint, enable firewall, disable vnc, ssh ,rdp ports. install opensnitch, install pihole

There’s a lot of people with the idea that open source can’t be secure because people see the source code.

But imagine this. You have 2 locks, one that is completely viewable of the innerworkings, and another that is covered, both have been unbreakable, but could you imagine the balls on the guy that made the clear lock? Imagine feeling so confident that your lock was clearly the best, that you just expose it to any hacker ever and they still can’t get in.

Microsoft can barely get things working with their closed source code.

In reality, anything is exploitable and hackable eventually. With the open source community there are so many eyes on it that when someone notices that the program is running 2 seconds slower than it used to, they discover a vulnerability instead of just accepting it and saying “probably MS doing some BS” and dealing with it.

if you mean the most secure desktop? then linux is not. not by a long shot.

use windows.

https://madaidans-insecurities.github.io/security-privacy-advice.html#desktop-os

https://madaidans-insecurities.github.io/linux.html

if you mean most most free, linux it is. personally I use linux.