By default when you plug in an external USB storage device into a computer running Linux it will automatically mount, allowing the user to access the contents.
This behaviour can be less than ideal from a security perspective, as it can allow an attacker to copy confidential files, or allow a user to run a malicious script stored on the USB device for example.
With some simple configuration changes we can disable USB storage in Linux for unprivileged users.
In this example we are working with CentOS 7.
Disabling USB Storage With Modprobe
To disable USB storage, create the following file and edit it with your favourite text editor.
Within this file, add the following line.
install usb-storage /bin/true
After saving that line to the /etc/modprobe.d/usb-storage.conf file you will need to perform a reboot to complete the process. After rebooting if you plug in a USB storage device you should not be able to access it.
In previous versions of Linux this was set within the /etc/modprobe.conf file, however in CentOS 7 this is deprecated and a unique file must exist within the /etc/modprobe.d directory instead.
While this file exists with this specific content modprobe will not be able to load the usb-storage module, however a root user can still use the insmod command to manually load the module if required. Unprivileged users should not be able to use USB mass storage devices any longer.
By simply creating the /etc/modprobe.d/usb-storage.conf file, containing ‘install usb-storage /bin/true’ inside and performing a reboot of the system, we can prevent access to USB storage devices for unprivileged user accounts which can increase system security against certain physical attack vectors.