Data Structure
Networking
RDBMS
Operating System
Java
MS Excel
iOS
HTML
CSS
Android
Python
C Programming
C++
C#
MongoDB
MySQL
Javascript
PHP
Physics
Chemistry
Biology
Mathematics
English
Economics
Psychology
Social Studies
Fashion Studies
Legal Studies
- Selected Reading
- UPSC IAS Exams Notes
- Developer's Best Practices
- Questions and Answers
- Effective Resume Writing
- HR Interview Questions
- Computer Glossary
- Who is Who
How to Block USB Storage Devices in Linux Servers?
USB storage devices have become ubiquitous in our technology-driven world, but they also pose a significant security threat to organizations. Attackers can exploit these devices to introduce malware, steal sensitive data, or gain unauthorized access to a network.
To protect Linux servers against such attacks, administrators can take proactive measures by blocking USB storage devices. This article will delve into the various ways to accomplish this, including the benefits of each approach and the necessary steps to implement them. After reading this article, readers will be equipped with the knowledge to disable USB storage devices and secure their Linux servers.
In the subsequent section of this article, we will get you through the step-by-step process for every method available to block USB storage devices.
Method 1: Using udev Rules
The udev system in Linux is like a manager for devices and their files. By using udev rules, we can stop the kernel from creating device files for USB storage devices, which effectively blocks them from being used. Here's how −
Step 1 − Create a udev rule file
To create a rule to block USB storage devices, you need to create a new file in the "/etc/udev/rules.d/" directory. The file can be named anything, but for this example, we'll name it "99-block-usb-storage.rules". You can create the file using any text editor, including nano or vi.
sudo nano /etc/udev/rules.d/99-block-usb-storage.rules
Step 2 − Add the udev rules
Add the following lines to the newly created file −
SUBSYSTEMS=="usb", ACTION=="add", ATTRS{idVendor}=="****", ATTRS{idProduct}=="****", RUN+="/bin/sh -c 'echo 1 > /sys$env{DEVPATH}/authorized'"
The rule is written in the form of an if-then statement. It means if the subsystem is USB, and the action is "add" (a USB storage device is connected), and the vendor and product IDs match the specified values, then the command in the RUN parameter is executed. In this case, the command is "echo 1 > /sys$env{DEVPATH}/authorized", which prevents the kernel from creating device nodes for the device.
Replace the "****" with the vendor and product IDs of the USB storage devices that you want to block. You can obtain these IDs by running the "lsusb" command. For example, if you want to block all USB storage devices with vendor ID "0781" and product ID "5567", the rule should be:
SUBSYSTEMS=="usb", ACTION=="add", ATTRS{idVendor}=="0781", ATTRS{idProduct}=="5567", RUN+="/bin/sh -c 'echo 1 > /sys$env{DEVPATH}/authorized'"
Step 3 − Reload the udev rules
After saving the file, reload the udev rules by running −
sudo udevadm control --reload-rules sudo udevadm trigger
The "udevadm control" command is used to reload the rules, and the "udevadm trigger" command is used to reapply the rules to the currently connected devices.
Step 4 − Test the rule
Insert a USB storage device with the vendor and product IDs specified in the rule. The kernel should not create device nodes for the device. You can confirm this by running the "lsblk" command.
If the device is successfully blocked, it will not show up in the list of block devices returned by the "lsblk" command. If the device is not blocked, make sure to check that the vendor and product IDs in the udev rule match those of the USB storage device.
Method 2: Blacklisting USB Storage Modules
Another way to block USB storage devices is by blacklisting the USB storage modules. This method prevents the kernel from loading the modules responsible for managing USB storage devices. Here's how:
Step 1 − Identify the USB storage modules
Identify the modules responsible for USB storage devices by running the following command −
lsmod | grep usb_storage
This command will list all currently loaded kernel modules, and the "grep" command will filter the output to only show modules that contain the string "usb_storage." The output should look something like this −
usb_storage 77824 0
This output shows that the "usb_storage" module is currently loaded.
Step 2 − Blacklist the modules
Create a new file named "blacklist-usb-storage.conf" in the "/etc/modprobe.d/" directory and add the following lines to the file −
blacklist usb_storage
This will blacklist the "usb_storage" module, preventing it from being loaded the next time the system boots up.
Step 3 − Update the initramfs
Update the initramfs to apply the changes by running the following command −
sudo update-initramfs -u
The initramfs (initial RAM filesystem) is a temporary file system that's loaded into memory during the boot process. By updating the initramfs, we ensure that the blacklisted module is not loaded during the boot process.
Step 4 − Reboot the system
Reboot the system to ensure that the blacklisted modules are not loaded. After the system has rebooted, you can confirm that the "usb_storage" module is not loaded by running the "lsmod" command again:
lsmod | grep usb_storage
If the module is blacklisted correctly, the output should be blank.
Method 3: Using the USBGuard Utility
USBGuard is a tool that can be used to enforce USB device policies. It can block or allow USB devices based on predefined policies. Here's how to use USBGuard to block USB storage devices:
Step 1 − Install USBGuard
The first step is to install the USBGuard utility on your Linux server. USBGuard is available in most Linux distributions' default repositories. for installing USBGuard, run the command given below −
sudo apt-get install usbguard
This command installs the USBGuard package and its dependencies on a Debian-based Linux distribution. If you're using a different Linux distribution, the command may vary.
Step 2 − Create a policy
After installing USBGuard, you need to create a rule to block USB storage devices. USBGuard uses a rules file to define policies for USB devices. Create a new rules file by running the following command −
sudo nano /etc/usbguard/rules.conf
This command creates a new file named "rules.conf" in the "/etc/usbguard/" directory.
Add the following lines to the file to block USB storage devices −
# Block USB Storage Devices deny allow id-*:* storage
This policy will deny all USB storage devices.
Step 3 − Start the USBGuard service
You can start the USBGuard service by executing the command given below.
sudo systemctl start usbguard
This command starts the USBGuard service and applies the rules defined in the "rules.conf" file.
Step 4 − Enable the USBGuard service
Enable the USBGuard service to start automatically at boot time by running the following command.
sudo systemctl enable usbguard
This command enables the USBGuard service and ensures that it starts automatically on system boot.
Step 5 − Verify the USBGuard policy
To verify that USBGuard is blocking USB storage devices, insert a USB storage device into the server. You should receive a notification that the device was blocked by USBGuard.
usbguard-daemon[PID]: Policy violation in device: ... (device blocked)
You can also view the status of the USBGuard service by running the following command −
sudo systemctl status usbguard
This command displays the status of the USBGuard service, including any policy violations.
Conclusion
In conclusion, there are several ways to block USB storage devices on Linux servers, such as using the udev rule, modifying the fstab file, or utilizing the USBGuard utility. By implementing these methods, you can enhance the security of your system and protect it from potential threats introduced through USB devices. It is important to regularly review and update your security measures to ensure that your Linux server remains secure.
1K+ Views
