{"id":12893,"date":"2019-03-29T01:25:55","date_gmt":"2019-03-29T01:25:55","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=12893"},"modified":"2019-03-29T01:25:55","modified_gmt":"2019-03-29T01:25:55","slug":"how-to-block-usb-storage-devices-in-linux-servers","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/29\/how-to-block-usb-storage-devices-in-linux-servers\/","title":{"rendered":"How to Block USB Storage Devices in Linux Servers"},"content":{"rendered":"

In order to protect sensitive data extraction from servers by users who have physical access to machines, it\u2019s a best practice to disable all USB storage support in Linux kernel.<\/p>\n

In order to disable USB storage support, we first need to identify if the storage driver is loaded into Linux kernel and the name of the driver (module<\/strong>) responsible with storage driver.<\/p>\n

Run the\u00a0lsmod command<\/strong>\u00a0to list all loaded kernel drivers and filter the output via\u00a0grep command<\/a>\u00a0with the search string \u201cusb_storage<\/strong>\u201d.<\/p>\n

# lsmod | grep usb_storage\r\n<\/pre>\n
\n
\"List<\/a><\/p>\n
List USB Storage Drivers<\/p>\n<\/div>\n
From\u00a0lsmod<\/strong>\u00a0command, we can see that the\u00a0sub_storage<\/strong>\u00a0module is in use by\u00a0UAS<\/strong>\u00a0module. Next, unload both USB storage modules from kernel and verify if the removal has been successfully completed, by issuing the below commands.<\/p>\n
# modprobe -r usb_storage\r\n# modprobe -r uas\r\n# lsmod | grep usb<\/pre>\n
Next, list the content of the current runtime kernel usb storage modules directory by issuing the below command and identify the\u00a0usb-storage<\/strong>\u00a0driver name. Usually this module should be named\u00a0usb-storage.ko.xz<\/strong>\u00a0or\u00a0usb-storage.ko<\/strong>.<\/p>\n
# ls \/lib\/modules\/`uname -r`\/kernel\/drivers\/usb\/storage\/\r\n<\/pre>\n
In order to block USB storage module form loading into kernel, change directory to kernel usb storage modules path and rename the\u00a0usb-storage.ko.xz<\/strong>\u00a0module to\u00a0usb-storage.ko.xz.blacklist<\/strong>, by issuing the below commands.<\/p>\n
# cd \/lib\/modules\/`uname -r`\/kernel\/drivers\/usb\/storage\/\r\n# ls\r\n# mv usb-storage.ko.xz usb-storage.ko.xz.blacklist\r\n<\/pre>\n
\n
\"Block<\/a><\/p>\n
Block USB Storage in Linux<\/p>\n<\/div>\n
In\u00a0Debian<\/strong>\u00a0based Linux distributions, issue the below commands to block\u00a0usb-storage<\/strong>\u00a0module from loading into Linux kernel.<\/p>\n
# cd \/lib\/modules\/`uname -r`\/kernel\/drivers\/usb\/storage\/ \r\n# ls\r\n# mv usb-storage.ko usb-storage.ko.blacklist\r\n<\/pre>\n
\n
\"Block<\/a><\/p>\n
Block USB in Debian and Ubuntu<\/p>\n<\/div>\n
Now, whenever you plug-in a USB storage device, the kernel will be fail to load the storage device driver intro kernel. To revert changes, just rename the usb module blacklisted back to its old name.<\/p>\n
# cd \/lib\/modules\/`uname -r`\/kernel\/drivers\/usb\/storage\/\r\n# mv usb-storage.ko.xz.blacklist usb-storage.ko.xz\r\n<\/pre>\n
However, this method applies only to runtime kernel modules. In case you want to blacklist USB storage modules form all available kernels in the system, enter each kernel module directory version path and rename the\u00a0usb-storage.ko.xz<\/strong>\u00a0to\u00a0usb-storage.ko.xz.blacklist<\/strong>.<\/p>\n
Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In order to protect sensitive data extraction from servers by users who have physical access to machines, it\u2019s a best practice to disable all USB storage support in Linux kernel. In order to disable USB storage support, we first need to identify if the storage driver is loaded into Linux kernel and the name of … <\/p>\n
Continue reading “How to Block USB Storage Devices in Linux Servers”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-12893","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/12893","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=12893"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/12893\/revisions"}],"predecessor-version":[{"id":12894,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/12893\/revisions\/12894"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=12893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=12893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=12893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}