Use a firewall (ufw, iptables, dedicated firewall).
Use Multi-Factor Authentication wherever possible.
NEVER give root access to a user that does not absolutely require it.
File permissions make it easy to manage what each user has access too.
Linux is less popular than windows 🙂, and it is open source, so less malware is developed for it.
Root is required to install system-wide software, configure networking, & manage users, along with other administrative tasks.
Only allow network connections from required sources (for example, only allow incoming traffic from SSH if no other applications require network connectivity).
Centralized package managers can certify applications are malware free before they are installed.Package managers also allow users to update all of their software at once.
Encrypt all data transmissions over a network. Ensure you are are using the latest versions of protocols to make sure data is encrypted properly. for example, sftp instead of ftp.
linux allows you to create dedicated accounts for services & applications.This way, if a service or process becomes compromised, it is less likely to affect the rest of the system.
Individuals should always have their own system accounts. Users sharing accounts can make it difficult to find the source of a breach. Users have a bad habit of being less responsible with shared user accounts.
Monitor system activity. This means regularly reviewing system logs. Sending logs to a dedicated server can help managing the review process easier, and also means you have a duplicate of logs in case an attacker changes logs on a system.
Avoid direct logins to root and service accounts unless absolutely neccessary. Users should log in to their personal accounts then use 'sudo -u' to run commands as other users. This creates a log trail that does not exist if users sign in the application, service, or root accounts.
Wherever possible, run applications and services in their own system (container, VM, dedicated physcial hardware).Otherwise, ensure applications and services have their own dedicated user. This way, if an application or service becomes compromised, it is less likely that it will be able to effect the rest of the system.