By default when you plug in an external USB storage device into a computer running Linux it will automatically mount, allowing the user to access the contents.
This behaviour can be less than ideal from a security perspective, as it can allow an attacker to copy confidential files, or allow a user to run a malicious script stored on the USB device for example.
With some simple configuration changes we can disable USB storage in Linux for unprivileged users.
In this example we are working with CentOS 7.
Disabling USB Storage With Modprobe
To disable USB storage, create the following file and edit it with your favourite text editor.
/etc/modprobe.d/usb-storage.conf
Within this file, add the following line.
install usb-storage /bin/true
After saving that line to the /etc/modprobe.d/usb-storage.conf file you will need to perform a reboot to complete the process. After rebooting if you plug in a USB storage device you should not be able to access it.
In previous versions of Linux this was set within the /etc/modprobe.conf file, however in CentOS 7 this is deprecated and a unique file must exist within the /etc/modprobe.d directory instead.
While this file exists with this specific content modprobe will not be able to load the usb-storage module, however a root user can still use the insmod command to manually load the module if required. Unprivileged users should not be able to use USB mass storage devices any longer.
Summary
By simply creating the /etc/modprobe.d/usb-storage.conf file, containing ‘install usb-storage /bin/true’ inside and performing a reboot of the system, we can prevent access to USB storage devices for unprivileged user accounts which can increase system security against certain physical attack vectors.
if i shutdown the pc and the start the pc, then above command doesn’t work in my system (ubuntu 16.04 lts).
it works only if i do restart my pc. but once it shutdown it doesn’t work anymore.
What happens when you run it when it doesn’t work? Do you get any error messages?
This actually helped me ENABLE usb storage, because this exists by default in the centos 7 installation I had. Thank you very much for posting this! I searched high and low and no one had an answer…
Thanks,
It worked out in ubuntu 16.04
No problem, great to hear!
No problem, great to hear!
I think it will /bin/false not /bin/true
Great help, thank you.
how can i write this in yaml format??