I spent five years doing backend software for identity theft protection, the last two at Experian. Needless to say, we were very security-conscious. Each developer was required to do an annual “security” in-service program. That tended to repetitive, but some things stuck.
Building on some previous comments – there is no “secure system”. Instead, enumerate the threats you want to protect against (who and what) and estimate the cost of a breach. It is easy to tie yourself in knots and spend most of your time “protecting” yourself from “threats” that are irrelevant or that have negligible impact if they occur.
In a home environment, physical security is as important as anything that you run on any system. If you leave a system running with the screen unlocked and an admin user logged in, any guest who wanders into your office will be at least tempted.
As others have noted, your gateway/router is an important potential weakness. If you can afford it, buy another router/firewall and set up a “DMZ” (a local segment between your connection to the outside and your internal router/firewall). This is particularly important if you ever accept inbound connections from the wild. Be aware that tools like zoom, slack, teams, google, and others tend to use spare cycles on your machine to provide caching for peer-to-peer networking with nearby users. Any system that accepts inbound connections from the wild belongs in the DMZ. For example, some people host their own webservers and publish the IP address assigned to them by their ISP. That’s ok, but if you do something like that than put a “master” server inside the inner firewall, clone it to another server running in the DMZ, and use one of the many tools that continuously monitor the DMZ executables for unexpected changes.
Strongly prefer key pairs over passwords, and choose
ed25519as the key type. Passwords are inherently weaker than key pairs. For those passwords that you must use, don’t EVER EVER EVER use the same password on multiple external services/apps. Use a different password for each online banking and online credit card account. That alone accounts for the overwhelming majority of breaches that happen to real consumers. Of course, use hard-to-guess passwords. Use multi-factor authentication when it’s offered.
There is growing opinion among my security-oriented colleagues that running kernel-level VMs (kvm) and maintaining good backups is a big win. If you do experience an intrusion, it’s MUCH easier to clean up if you don’t have to rebuild your entire world from backup.
I’ve been very impressed with a product called
intezer-protectfrom intezer.com. It’s a suite that runs in the background and sniffs around for suspicious executables. They have a marvelous UI and use a very impressive approach for identifying and categorizing threats. That product is free for most home users.
Most modern gateway/router devices provide a second “guest” access point that provides a separate local network. Use this for guests with phones, children with laptops, and so on. Keep that guest network isolated from your “main” internal network. You have so little control over all those foreign devices that it’s wise to keep them isolated from your personal jewels.
I’ve been running RL on my “main” iron with a guest VM running Windows 10 pro using VirtualBox. I plan to migrate to QEMU ASAP. I run a second RL machine as a network fileserver.
I suggest you be VERY cautious about “IOT” stuff – especially mesh routers and such. Each new network node is a potential vulnerability. The more you do over radio, the more surface you present to bad actors.
I am gradually turning my home into a local “IT Center”, with servers running RL and straightforward (in comparison to the Windoze swamp) approaches to file servers, backups, media services, and so on. AWS S3 and
rsync do a much better job of offsite backup than you’ll do with any of the Windoze-oriented money-sinks like Acronis.
There is a “big picture” worth mentioning. The Linux community, and CentOS/RHEL/Fedora in particular, has been addressing security and malware for decades. There’s a lot to learn – and there’s also a rich variety of resources and tools to help you out.