Er, forgot to mention, I did have to run a mail server for a while and got attacked then. This was in the early late 1990s/early 2000s on dialup & a lousy ISP. They all 100% knew I was a windows box (because everything else is around here). They tried a succession of lame passwords and went away. So unless 'the dark side' can get at you, you should be good. I'm on webmail now.

When I was running (way back) an FTP site (not SFTP) for work, I'd see all kinds of hits from various parts of the world (mostly china ips). Part of the server software was ability to ban ips after so many username/password tries. Seemed to keep out all the badies for the years it was in service.

It is astonishing how the people who advice running without protection say that have never had a problem running that way, and everyone who says "some protection might be smart" can tell war stories. You get more proactive once you have been in the middle of a disaster.

Run without protection as long as you have no important data they might steal, nothing about losing the machine for a few days that would threaten you life, job, or sanity. Protection is in response to risk, and the people who best understand the risk are the ones with the war stories. The others do not know because they have not experienced it.

Asking up front, before you get into the pain and loss how to prevent it is SMART. Experience is a good teacher, but cruel! I advise looking into protections and deciding what to use based upon YOUR risks and YOUR usage, keeping in mind that there are a million script kiddies out there who love making trouble and stealing data to sell. Keep in mind also that all hardware WILL fail: and we cannot predict WHEN. SO I advise using what protections make sense for YOU. We cannot tell you what those are because we are not YOU. Backups make sense, as does a firewall at either the host or network level. You might also, if it is justified, look into some intrusion detection and Malware/AV protection. We cannot decide what protections you need, but we can tell you that there is an advantage in being smart!

Thing is, at home, in my case, I have no 'server' type services exposed to the internet (that I know of) on my Linux machines. A big difference than a work server that serves files to the world (ie. Welcoming the general public in to use your services). My internet exposure is the browser and email client on my Linux desktops/laptops. That's it. Pretty confident an anti-virus application isn't necessary in 'my' case. I use strong passwords too. The weak point in my mind is the apt/dnf update process as those files are just fed to you and you don't know what's in them. Really trusting the distro maintainers to keep bogus code out....

At home, for close to 30 years on Linux, I never used an AV and have never has an issue. In the windows sense, there are no real "viruses" on systems link Linux. You do have trojans and maybe people getting in through ssh or things like the recent xz backdoor.

As long as you do not surf the WEB as root, you should be OK. Also be very careful on what you download and install, you never know what random people put in them.

At work, we were forced to use AV on our Linux Workstations. I asked around and as I figured, AV on Linux was used to protect people on Windows. A Linux person could forward off an email with a Windows Virus to someone on Windows. So your mail server should probably examine emails for viruses.

HTH

Personally, as a home user, I think that having no online servers is a key to security. There's also /etc/hosts.allow & /etc/hosts.deny which can be configured to exclude what you choose. There's guys probably running nmap on every ipv4 IP to scan for open ports. If you're behind a router, they have to go to the bother of hacking that before they find out if you're vulnerable.

Whenever someone says they ran without AV for years with no problem, I hear this little voice form the background calling "...that you KNEW about...".

DDOS agents LOVE being told their malware caused no problem and was not noticed.