How to Block USB Storage Devices in Linux Servers?

USB storage devices have become ubiquitous in our technology-driven world, but they also pose a significant security threat to organizations. Attackers can exploit these devices to introduce malware, steal sensitive data, or gain unauthorized access to a network.

To protect Linux servers against such attacks, administrators can take proactive measures by blocking USB storage devices. This article will delve into the various ways to accomplish this, including the benefits of each approach and the necessary steps to implement them. After reading this article, readers will be equipped with the knowledge to disable USB storage devices and secure their Linux servers.

In the subsequent section of this article, we will get you through the step-by-step process for every method available to block USB storage devices.

Method 1: Using udev Rules

The udev system in Linux is like a manager for devices and their files. By using udev rules, we can stop the kernel from creating device files for USB storage devices, which effectively blocks them from being used. Here's how 

Step 1 − Create a udev rule file

To create a rule to block USB storage devices, you need to create a new file in the "/etc/udev/rules.d/" directory. The file can be named anything, but for this example, we'll name it "99-block-usb-storage.rules". You can create the file using any text editor, including nano or vi.

sudo nano /etc/udev/rules.d/99-block-usb-storage.rules

Step 2 −  Add the udev rules

Add the following lines to the newly created file −

SUBSYSTEMS=="usb", ACTION=="add", ATTRS{idVendor}=="****", ATTRS{idProduct}=="****", RUN+="/bin/sh -c 'echo 1 > /sys$env{DEVPATH}/authorized'"

The rule is written in the form of an if-then statement. It means if the subsystem is USB, and the action is "add" (a USB storage device is connected), and the vendor and product IDs match the specified values, then the command in the RUN parameter is executed. In this case, the command is "echo 1 > /sys$env{DEVPATH}/authorized", which prevents the kernel from creating device nodes for the device.

Replace the "****" with the vendor and product IDs of the USB storage devices that you want to block. You can obtain these IDs by running the "lsusb" command. For example, if you want to block all USB storage devices with vendor ID "0781" and product ID "5567", the rule should be:

SUBSYSTEMS=="usb", ACTION=="add", ATTRS{idVendor}=="0781", ATTRS{idProduct}=="5567", RUN+="/bin/sh -c 'echo 1 > /sys$env{DEVPATH}/authorized'"

Step 3  Reload the udev rules

After saving the file, reload the udev rules by running −

sudo udevadm control --reload-rules
sudo udevadm trigger

The "udevadm control" command is used to reload the rules, and the "udevadm trigger" command is used to reapply the rules to the currently connected devices.

Step 4  Test the rule

Insert a USB storage device with the vendor and product IDs specified in the rule. The kernel should not create device nodes for the device. You can confirm this by running the "lsblk" command.

If the device is successfully blocked, it will not show up in the list of block devices returned by the "lsblk" command. If the device is not blocked, make sure to check that the vendor and product IDs in the udev rule match those of the USB storage device.

Method 2: Blacklisting USB Storage Modules

Another way to block USB storage devices is by blacklisting the USB storage modules. This method prevents the kernel from loading the modules responsible for managing USB storage devices. Here's how:

Step 1  Identify the USB storage modules

Identify the modules responsible for USB storage devices by running the following command −

lsmod | grep usb_storage

This command will list all currently loaded kernel modules, and the "grep" command will filter the output to only show modules that contain the string "usb_storage." The output should look something like this 

usb_storage            77824  0

This output shows that the "usb_storage" module is currently loaded.

Step 2  Blacklist the modules

Create a new file named "blacklist-usb-storage.conf" in the "/etc/modprobe.d/" directory and add the following lines to the file −

blacklist usb_storage

This will blacklist the "usb_storage" module, preventing it from being loaded the next time the system boots up.

Step 3  Update the initramfs

Update the initramfs to apply the changes by running the following command −

sudo update-initramfs -u

The initramfs (initial RAM filesystem) is a temporary file system that's loaded into memory during the boot process. By updating the initramfs, we ensure that the blacklisted module is not loaded during the boot process.

Step 4  Reboot the system

Reboot the system to ensure that the blacklisted modules are not loaded. After the system has rebooted, you can confirm that the "usb_storage" module is not loaded by running the "lsmod" command again:

lsmod | grep usb_storage

If the module is blacklisted correctly, the output should be blank.

Method 3: Using the USBGuard Utility

USBGuard is a tool that can be used to enforce USB device policies. It can block or allow USB devices based on predefined policies. Here's how to use USBGuard to block USB storage devices:

Step 1 − Install USBGuard

The first step is to install the USBGuard utility on your Linux server. USBGuard is available in most Linux distributions' default repositories. for installing USBGuard, run the command given below 

sudo apt-get install usbguard

This command installs the USBGuard package and its dependencies on a Debian-based Linux distribution. If you're using a different Linux distribution, the command may vary.

Step 2  Create a policy

After installing USBGuard, you need to create a rule to block USB storage devices. USBGuard uses a rules file to define policies for USB devices. Create a new rules file by running the following command 

sudo nano /etc/usbguard/rules.conf

This command creates a new file named "rules.conf" in the "/etc/usbguard/" directory.

Add the following lines to the file to block USB storage devices −

# Block USB Storage Devices
deny allow id-*:* storage

This policy will deny all USB storage devices.

Step 3  Start the USBGuard service

You can start the USBGuard service by executing the command given below.

sudo systemctl start usbguard

This command starts the USBGuard service and applies the rules defined in the "rules.conf" file.

Step 4  Enable the USBGuard service

Enable the USBGuard service to start automatically at boot time by running the following command.

sudo systemctl enable usbguard

This command enables the USBGuard service and ensures that it starts automatically on system boot.

Step 5  Verify the USBGuard policy

To verify that USBGuard is blocking USB storage devices, insert a USB storage device into the server. You should receive a notification that the device was blocked by USBGuard.

usbguard-daemon[PID]: Policy violation in device: ... (device blocked)

You can also view the status of the USBGuard service by running the following command 

sudo systemctl status usbguard

This command displays the status of the USBGuard service, including any policy violations.


In conclusion, there are several ways to block USB storage devices on Linux servers, such as using the udev rule, modifying the fstab file, or utilizing the USBGuard utility. By implementing these methods, you can enhance the security of your system and protect it from potential threats introduced through USB devices. It is important to regularly review and update your security measures to ensure that your Linux server remains secure.

Updated on: 26-Jul-2023


Kickstart Your Career

Get certified by completing the course

Get Started