It all depends on your usecase to define the risk vs effort.
I work in a cyber security role, yet my personal laptop has minimal security, because it doesn't need it. Am I keeping military secrets on it? No. Does it contain bank records? No. So no full disk encryption, no app sandboxing, no AV scanning.
My work laptop... well, that's a different case altogether.
My advice: do 1 thing at a time and make sure you understand it. For example, do you need a SSH server on a desktop device? Just disable it and that's it secured. No need for additional jails, fail2ban, firewalls, etc... now it's easier to maintain, which improves your overall security posture.
Have a look at Lynis and CIS-CAT, etc to audit your system... if it's vulnerable and you don't use it, remove it.
That's why I use Arch... it only has the components you need.
It all depends on your usecase to define the risk vs effort.
I work in a cyber security role, yet my personal laptop has minimal security, because it doesn't need it. Am I keeping military secrets on it? No. Does it contain bank records? No. So no full disk encryption, no app sandboxing, no AV scanning.
My work laptop... well, that's a different case altogether.
My advice: do 1 thing at a time and make sure you understand it. For example, do you need a SSH server on a desktop device? Just disable it and that's it secured. No need for additional jails, fail2ban, firewalls, etc... now it's easier to maintain, which improves your overall security posture.
Have a look at Lynis and CIS-CAT, etc to audit your system... if it's vulnerable and you don't use it, remove it.
That's why I use Arch... it only has the components you need.