I am using linux for 5 years. In these 5 years I was just a normal user but learn many things. I am a web developer. There is a guy owning a website. Unfortunately his site is under attack continuously (last day 3000 Gb ddos ) . He asked me for help. I suggest him to migrate his site from windows server to linux. I can help with site application security.
Now I need to learn all about linux security.
suggest me good books and tutorials. and how I practice security.
I need whole package

I don't mean to be negative, but what makes you think that "site application security" or a migration to Linux will solve this problem?

Depending on how much of a problem downtime is for that site owner he should really get support from someone who is experienced with this kind of issue, and that's probably exactly what you should be recommending.
He might also want to invest in ddos mitigation infrastructure, but this is more a financial problem than anything you'd likely be able to help him with...

That said, I find the Arch wiki site on security pretty good, but it's not going to help with ddos attacks.

You are more likely to find anything useful regarding that if you search with terms such as "apache hardening" or "apache security". Just did it and e.g. this this article came up. It also has a section (mod_evasive) that talks about ddos.

Good luck

Need some advice from Linux SysAdmins: where is the best place to start?
Security References

Indeed the OS he is using for the servers has little bearing on the effectiveness of the DDOS attack (except in the case of ancient unpatched OS). First read about DDOS:
https://en.wikipedia.org/wiki/Denial-of-service_attack

In general, if you have handled DDOS attacks in the past, then you can offer your services. If you have not, then get someone who has. Although some DDOS attacks can be easily fixed by reconfiguring the firewall, others are highly adaptive and will take an expert to keep at bay.