A standard ubuntu install should not activate network services that are accessible via the internet.
You can check via (for tcp):
netstat -lntp
Similar for udp, but udp does not distinguish between ports opened for listening or sending.
Thus, an iptables configuration is not necessary.
A bit off-topic perhaps, since following concerns you in any case (it does not matter if you are behind a router):
- consider disabling flash (since the flash plugin has a big history of hilarious security problems)
- consider disabling the Java-Plugin (if enabled) and enabling it only for certain sites (not as much security related problems in the past as flash, but a few)
And, sure, you probably know that, but anyways: Always work as normal-user as possible. Don't use firefox etc. as root ...
An example netstat -lntp output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 935/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1811/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1755/exim4
tcp6 0 0 :::22 :::* LISTEN 935/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1811/cupsd
The 127.0.0.1 entries are harmless, because those programs only listen on the local network interface.
sshd is an example of a service that listens on all available interfaces (0.0.0.0, i.e. including the one the cable internet modem is connected to) - but usually you have good passwords or disable password authentication and only use public-key.
Anyways, IIRC sshd is not installed by default.
The last two interfaces regard IPv6. ::1 is the address of the loopback device (like 127.0.0.1 in IPv4), thus safe. ::: is the IPv6 all network interface wildcard analog to 0.0.0.0 (IPv4).
"Safe" is always relative. You are safe from stuff messing with your operating system. But you are not safe from everything else:
- malicious SSL certificates
- "man in the middle" attacks
- hardware keylogger
- social hacking
- hacks that happened during your session for the rest of the uptime of your live system
...
In theory, one could mount your partitions and store data on them. But this data would have to be read again after the next reboot, which would require a different hack.
There are some hacks that write themselves into the master boot record (MBR) of your hard drives, meaning that the attack starts before the operating system starts. With a CD, that should be impossible. With the USB stick, I am not too sure.
So you are safer than before, but you are not "safe" in an absolute sense.
Best Answer
Things to consider:
How well known is the site? For example, was it a random blog covered in ads, was it a random user on some forum, or was it a well known, respected site?
What does it claim to install? For example, does it claim to install a kernel or a iconset, but is it only 1MB big?
How "important" is it that you have the contents of this
.deb
?Ways to test things securely:
I use
arkose
(its in the standard repos ) sandboxing with my debs (and other things) - use it something like this:sudo arkose -n -c "cd $PWD; $SHELL"
What that does it give me a "sandbox" (otherwise known as "YAY I CAN SCREW UP!") with copy-on-write access to everything on my computer, including my home directory - so if the nasty nasty
.deb
doessudo rm -rf /*
, I DON'T LOSE ANY DATA!Another thing that isn't stressed enough is MAKE BACKUPS. Those are extremely helpful, and we have many questions on the topic.
In short, just make sure you think about it, and don't just download a random deb and install it.