The primary way to keep a system tight on Linux is to make sure you are using a distro that provides security updates quickly. Once a security bug is found, it is more likely that someone will find a way to exploit it. The second thing to do is to not run network services that you don't need. Having stuff installed is in and of itself nearly zero risk. There are few binaries left on any recent Linux/GNU distro that are setuid or setgid (permissions marking a file to run with higher authority than the invoking task), and what few such binaries there are occur in basic packages (such as the login/password software) that you pretty much have to have.
All the stuff I do to keep my Windows tight, including hardware firewall, antivirus, hostsman hosts file, software firewall, registry fixer, spybot scanner, spyware scanner, rootkit revealer, popup blocker, startup manager, disk defrag, registry defrag, ... I mostly don't have on my Linux. On Linux I just have my shared hardware firewall, the iptables software firewall, a popup resistant browser, and the traditional choice of what services to startup at boot. And where I had to hunt down and separately download and where appropriate pay for the Windows tools, one at a time, all the Linux tools (except of course for the separate hardware firewall) all come in the distribution, with automatic security patch updates.
You can get a good idea of what is included in the SuSE manual by looking at the table of contents for last years SuSE 9.1 Linux Administration Manual, at: SUSE LINUX Administration Guide.
Now on to Ubuntu, I want to try the Gnome environment first I'll do a live then if that works an install. Thanks all.