• chkrootkit+rkhunter = and don't need any kaspersky.
  
• Add security updates to the lists of repositories, regularly roll out updates (usually in graphical mode, she herself offers), update when new versions of the OS are released (best of all, a month after the release). Unlike RH-like ones, here you can update the version on the go, even without rebooting (then it would be nice to reboot somehow to make the new kernel work).
  
• For reinsurance - if there are any services such as mail (for receiving), ssh, vnc, etc., then disable ssh login with a password (only a key), set fail2ban.
  
• You can also logwatch / logcheck to make it easier to look at the logs (they themselves will tell you about everything non-standard / suspicious). SELinux / apparmor - optional, because if you set it up once, then you need to disable / edit it for each system sneeze, which can be annoying.
  

Once a neophyte came to the master of the teaching and said:
Teacher, I am tormented by doubts. When I professed the Windows way, I had antiviruses, and firewalls, and registry cleaners, and other utilities that protected me. Now, I feel defenseless against the dangers of the Internet.
Then the teacher tied his shoelaces and told him to run!
What does this mean, Master?
When a house is initially well designed, there is no point in additional props.
And then the neophyte knew Zen.

Yes, everything is normal there with security by default. Just do not hang too much on open ports and update on time.

Like it or not, security in Linux is sometimes worse than in Windows. Therefore, it is recommended to install an antivirus. For example , Kaspersky Endpoint Security for Linux .

I'll suggest something strange:
- put a tench in the virtual machine, play around, scan, kill it (gently);
- when you understand how to handle it, put it on real hardware.

Everything is fine by default, as far as I know. You can safely click banners)

The firewall is by default, just inactive and optionally brought to the desired condition.
If sudo is set, you can get paranoid by reading /var/log/auth.log

The logs are all in /var/log, we look, we read. Do not open extra ports - and there will be happiness. In general, the network is full of descriptions of how to configure Linux in a relatively safe way. True, in any case, you need to understand what you are doing - well, you need it even in Windows ...

Elusive Joe...

in addition to what you already have - configure SELinux