How To Disable USB Storage Devices In Linux

By default when you plug in an external USB storage device into a computer running Linux it will automatically mount, allowing the user to access the contents.

This behaviour can be less than ideal from a security perspective, as it can allow an attacker to copy confidential files, or allow a user to run a malicious script stored on the USB device for example.

With some simple configuration changes we can disable USB storage in Linux for unprivileged users.

In this example we are working with CentOS 7.

Disabling USB Storage With Modprobe

To disable USB storage, create the following file and edit it with your favourite text editor.

/etc/modprobe.d/usb-storage.conf

Within this file, add the following line.

install usb-storage /bin/true

After saving that line to the /etc/modprobe.d/usb-storage.conf file you will need to perform a reboot to complete the process. After rebooting if you plug in a USB storage device you should not be able to access it.

In previous versions of Linux this was set within the /etc/modprobe.conf file, however in CentOS 7 this is deprecated and a unique file must exist within the /etc/modprobe.d directory instead.

While this file exists with this specific content modprobe will not be able to load the usb-storage module, however a root user can still use the insmod command to manually load the module if required. Unprivileged users should not be able to use USB mass storage devices any longer.

Summary

By simply creating the /etc/modprobe.d/usb-storage.conf file, containing ‘install usb-storage /bin/true’ inside and performing a reboot of the system, we can prevent access to USB storage devices for unprivileged user accounts which can increase system security against certain physical attack vectors.

  1. if i shutdown the pc and the start the pc, then above command doesn’t work in my system (ubuntu 16.04 lts).

    it works only if i do restart my pc. but once it shutdown it doesn’t work anymore.

  2. Joseph Dalrymple

    This actually helped me ENABLE usb storage, because this exists by default in the centos 7 installation I had. Thank you very much for posting this! I searched high and low and no one had an answer…

  3. Thanks,
    It worked out in ubuntu 16.04

  4. I think it will /bin/false not /bin/true

  5. Great help, thank you.

  6. how can i write this in yaml format??

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>