Great to hear you’re willing to move to Linux!

Like other comments pointed, there is no such thing as “most secure”. It’s a deep rabbit hole and it’s better in general to assume that any device connected to the internet is at risk. Hell, any storage can be compromised if the entity interested put enough effort into it.

I recommande reading the page on Privacy Guides, it gives a good overview. In general, you should consider your thread model: what is you situation and why do you want security or privacy for?

• Regarding security, I would say for a general case, any modern, popular Linux distro with full disk encryption is probably good enough and as secure as any other OS. I would recommande going with a Fedora Silverblue or an OpenSUSE Tumbleweed, but the more popular Ubuntu or Mint are great as well for new users.
• If you also want “good enough” privacy, you should focus more on the software you are running, and the situation of your data, especially in your usage of your web browser. But that’s a different topic entirely.
• If you actually want more advanced security though, that’s where it becomes difficult/fun. You need to consider what you are trying to protect yourself from, specifically. Virus? Maybe a compartmentized OS like Qubes might be a solution. Physical access to your device? You can get a dead man switch that kills you system disk if your laptop is taken away from you. You want to hide your OS install from a security inspection? You can set a deniable full disk encryption with a facade OS that protect your from a rubber hose attack. Probably many other things exist I am not aware of.

But anyway, if your question is “Is a Linux distro at least as secure as my previous Windows”, the answer is definitely YES imo. And if you want MOAR, it’s gonna be a fun ride!

[edit: and yes, updates! Update you system plz.]

You’re going to need to be more specific. There are dozens of aspects of security.

But if you want to have the most secure machine, then never turn it on, encase it in lead, and drop it at the bottom of the ocean.

Most of the security is in the kernel so you can make sure you have the latest kernel. Also secureblue is a security focused distro that makes use of GrapeneOS’s hardened malloc so that’s the most secure one that I’m aware of.

To have the most secure machine possible, you might need a hardened kernel but you absolutely need to have SELinux (or equivalent) rules set up.

The easiest way to have a go at this would be to install OpenSuSE (any version will do, they all ship with SELinux ootb) and follow guides on how to setup SELinux permissions.

From a windows perspective Linux does 2 things differently which makes it more secure to Windows.

1. Like MacOS it doesn’t need antivirus software like Norton. Windows needs antivirus because DOS the OS windows is based on, had it where any program had access to anything. This is still sadly true even on Windows 11. Linux is Sandboxed, where instead of giving the program full access to everything, you just give it a sandbox with what it needs.

Unless you deliberately run a program as the admin of Linux (su or sudo), malicious code can just delete system32.

2. Linux’s is open source and while the desktop market share is tiny, there are a massive market in servers. As a result since there are a lot of eyes on the project if/when problems are found they are fixed quickly. I remember a time when a malicious actor was trying to add a backdoor into a library as a blob and it was caught.

Windows on the other hand is closed source, meaning if MS can’t find the issue, the only time it is found is when it’s in the field. To avoid downtime MS offers bug bounty programs for those who can find issues, rather than to let them exploit it.

I used to use ClamAV, but not sure I noticed much of a difference, so haven’t really used any antivirus software for a while now. Curious what people in this thread think of clam.

When my kids were in their teens they had windows machines.

They had windows machines, because all their friends had windows machines.

you know what kids are like, click on every thing. oblivious to danger.

malware, viruses, the lot. of course, good old idiot dad had to sort it out. spending hours running anti-virus programs and malwarebytes etc

I got really annoyed one day and while they were at school. I totally removed windows and installed linux mint xfce on both their machines.

Set everything up for them exactly how I used my linux machine.

Once they were online, had their web browser open, found they could login in to all the things they liked and still enage with their friends.

I never heard a peep from them. no more anti-virus scans or malware.

It was heaven.

Ive used Linux for 20 years and never had a virus.

if you mean the most secure desktop? then linux is not. not by a long shot. use windows.

https://madaidans-insecurities.github.io/security-privacy-advice.html#desktop-os

https://madaidans-insecurities.github.io/linux.html

if you mean most most free, linux it is. personally I use linux.

Linux is always more secure than win10, so whatever your need, Linux is more secure. The biggest threat is almost always yourself, and what you open up, give away, and how easy you make the codes you use and so forth.

Just make sure everything’s updated.

Microsoft do a good job of updating drivers and their applications, but Windows application updates vary so much.

For Linux - mostly - the distro maintainers handle all updates and just updating is usually enough.

After that it’s down to you… if you disable all the built-in protection and visit dodgy websites then any OS is going to struggle.

You can improve the out-of-box security by removing software you don’t use, improving default configurations (one size doesn’t fit all) and considering if you want additional security software - this applies to any OS.

So, to return to your question, choose a Linux distro which has regular updates and only contains applications that you use.

Security on Linux is lackluster.

Generally as long as you don’t install any untrustworthy programs you’ll be safe … but there’s a problem. Linux is an amalgamation of thousands of separate programs and most of them are maintained by one guy in Nebraska thanklessly. XZ Utils is a prime example of how vulnerable the Linux software stack is to malware.

My advice: Keep your daily driver separate from your gaming machine, use a debian-based distro like Ubuntu or Mint for your daily driver, and always have a disaster recovery plan. My advice would basically be the same for a Windows user.

As others have said, Linux Security is a very broad topic. But the main thing is keeping your system updated, only install packages from your distro’s repositories, install a firewall and don’t install anything you don’t need should go a long way :)

For example, i use Alpine Linux as a desktop OS. This means i only install packages through apk, from the Alpine repositories. I run apk update and apk upgrade commands every friday. I use Flathub for most desktop software which i also update weekly. (To be even more secure, only install verified flatpak’s). my firewall has no incoming ports open (really not needed on my desktop). And i keep myself updated with the latest news regarding Alpine Linux, and Linux in general. So i am aware of most vulnerabilities as they are published. This is a pretty secure system.

Later on if you want even more security you can start following the CIS guidelines for your favorite distro, but the above should be a good start.

But good security is not just jeeping your system updated, it also means you have good backups in place, in case randsomware hits your system. And then there’s also the monitoring of your system for suspicious behaviour :) But these are far more advanced topics!

To be honest, security in the desktop Linux space has traditionally been a bit shit.

Since you’re new, it’s important for you to understand that Linux is a kernel. That’s the most low-down part of your operating system that handles your OS talking to your hardware and vice versa. Linux is not a full OS; it doesn’t provide any userspace tools that an OS provides. That’s why people don’t install Linux on its own, but they install Linux distributions, which are full OSes using the Linux kernel that come with more or less software to make Linux a complete OS, or at least bootable. That means that there is no one way to do things in Linux. There are some Linux distributions that are security-focused, such as Qubes OS and Alpine Linux. There’s also the new immutable distros, which provide security because the entire OS is defined declaratively, meaning you can easily rollback changes, and it’s harder to get infected with malware on those systems. There’s a lot of variability. Some systems are quite secure by default. A lot of other systems do not set up any security measures by default and expect the user to do that.

If you’re interested in hardening your Linux install, I would recommend the Arch wiki’s security page which has a lot of good advice.

Security is a really broad topic and the relevant security measures for you are going to vary based on your threat model. General good practices include using some form of MAC, setting up a firewall, don’t install random crap you don’t need (and if you are getting software from somewhere that isn’t vetted, e.g. the AUR, you should vet it yourself—e.g. if you use the AUR, learn to read PKGBUILDs), use full-disk encryption. Anti-virus software is largely not necessary on Linux, especially if you only install software from your package manager and follow other security good practice.

Microsoft being closed source hides their bugs and vulnerabilities. Even when security researchers have sent in reports MS has sat on them due to profit being motive not security, and not taking vulners seriously until the researchers say screw that and publish it.

Linux being open can have all eyes on it, and if there is an exploit, there is a community willing to help ASAP.

On many distros you may have weekly or even daily updates or patches coming through with fixes. A distro like OpenSUSE has various patch and list patch commands that show what security patches are avilailable, their status (critical, recommended) and if it’s needed on your system or not depending on what you have installed. You don’t get transparency on closed source systems.

If you are paranoid about security you can use AppArmor tools or SELinux. AppArmor can be set to learn his an app behaves, then you lock it so the app can’t do new things.

SELinux you set rules for files and folders, so even with remote access an attacker can’t access data if rules don’t allow file listing over SSH etc

What do you mean most secure? Because that is a very broad thing.