How to Block USB Storage Devices in Linux Servers?

USB storage devices have become ubiquitous in our technology-driven world, but they also pose a significant security threat to organizations. Attackers can exploit these devices to introduce malware, steal sensitive data, or gain unauthorized access to a network.

To protect Linux servers against such attacks, administrators can take proactive measures by blocking USB storage devices. This article will delve into the various ways to accomplish this, including the benefits of each approach and the necessary steps to implement them.

Method 1: Using udev Rules

The udev system in Linux manages devices and their files. By using udev rules, we can prevent the kernel from creating device files for USB storage devices, effectively blocking them from being used.

Step 1 ? Create a udev rule file

Create a new file in the /etc/udev/rules.d/ directory. For this example, we'll name it 99-block-usb-storage.rules.

sudo nano /etc/udev/rules.d/99-block-usb-storage.rules

Step 2 ? Add the udev rule

Add the following rule to block all USB storage devices:

SUBSYSTEM=="usb", DRIVERS=="usb-storage", ACTION=="add", RUN+="/bin/sh -c 'echo 0 > /sys$env{DEVPATH}/authorized'"

For specific devices, obtain vendor and product IDs using lsusb and create targeted rules:

SUBSYSTEMS=="usb", ACTION=="add", ATTRS{idVendor}=="0781", ATTRS{idProduct}=="5567", RUN+="/bin/sh -c 'echo 0 > /sys$env{DEVPATH}/authorized'"

Step 3 ? Reload udev rules

Apply the new rules by reloading the udev configuration:

sudo udevadm control --reload-rules
sudo udevadm trigger

Step 4 ? Test the rule

Insert a USB storage device and verify it's blocked using:

lsblk

If successful, the USB device will not appear in the block device list.

Method 2: Blacklisting USB Storage Modules

This method prevents the kernel from loading modules responsible for managing USB storage devices.

Step 1 ? Identify USB storage modules

Check which USB storage modules are currently loaded:

lsmod | grep usb_storage

usb_storage            77824  0

Step 2 ? Blacklist the modules

Create a blacklist configuration file:

sudo nano /etc/modprobe.d/blacklist-usb-storage.conf

Add the following line to blacklist the USB storage module:

blacklist usb_storage

Step 3 ? Update initramfs

Update the initial RAM filesystem to apply the changes:

sudo update-initramfs -u

Step 4 ? Reboot and verify

Reboot the system and confirm the module is not loaded:

sudo reboot
lsmod | grep usb_storage

If successful, the output should be blank.

Method 3: Using USBGuard Utility

USBGuard is a comprehensive tool for enforcing USB device policies, allowing fine-grained control over USB device access.

Step 1 ? Install USBGuard

Install USBGuard on Debian/Ubuntu systems:

sudo apt-get update
sudo apt-get install usbguard

For Red Hat/CentOS systems:

sudo yum install usbguard

Step 2 ? Create USBGuard policy

Generate an initial policy based on currently connected devices:

sudo usbguard generate-policy > /etc/usbguard/rules.conf

Edit the rules file to add USB storage blocking:

sudo nano /etc/usbguard/rules.conf

Add this rule to block all USB storage devices:

# Block USB Storage Devices
block with-interface 08:*:*

Step 3 ? Start and enable USBGuard

Start the USBGuard service:

sudo systemctl start usbguard
sudo systemctl enable usbguard

Step 4 ? Verify USBGuard status

Check the service status and test by inserting a USB storage device:

sudo systemctl status usbguard
usbguard list-devices

Blocked devices will show as block in the device list.

Comparison of Methods

Conclusion

Linux servers can be secured against USB storage threats using udev rules, module blacklisting, or USBGuard utility. Each method offers different levels of granularity and complexity, allowing administrators to choose the most appropriate solution for their security requirements and operational needs.