​How to use Linux's built-in USB attack protection

Worried over malicious USB sticks? Linux has you covered with USBGuard.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

There are USB sticks that will destroy your computer, USB sticks loaded with spyware, and even official enterprise USB sticks infected with malware. Last, but never least, when it comes to stealing data from a computer, you can't beat a USB stick. There are devices like the USG USB stick firewall, which can protect you, or if you're a Linux user, you can always stop attackers armed with USB sticks with USBGuard.

As anyone who's ever watched a TV show with our heroes sneaking out sensitive data from a computer with a USB stick knows, Windows and Macs are easy to crack with USB-borne tools. In the real world, Linux-based USB distributions such live-boot Tails makes this easy. USBGuard can stop any such attack.

USBGuard, as current stable Linux kernel maintainer Greg Kroah-Hartman recently pointed out, has been around for over a decade. For some reason, this user-space tool, which provides access control to USB devices, is not well known. It should be. It's a great addition to anyone needing to protect a Linux desktop or server.

This software framework is designed expressly to protect your computer against rogue USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. It enables you to lock-down all USB devices from user space.

USBGuard is not installed by default, to the best of my knowledge, on any major Linux distribution. But you can install USBGuard on any Linux using the source code. It's also available packaged up for easy deployment for Red Hat Linux family distributions in the Extra Packages for Enterprise Linux (EPEL) repository and in the Ubuntu universe repositories since the release of Ubuntu 16.10.

Once in place, you control USBGuard by the settings in its usbguard-daemon.conf file: The USBGuard daemon configuration file. When set up, the USBGuard daemon scans each USB device or hub as it's inserted into the system. The daemon then scans the existing rules sequentially, and when a matching rule is found, it either authorizes (allows), de-authorizes (blocks), or removes (rejects) the device.

By using the "usb-device-id" parameter, you can enable all the USB devices you approve of and block or reject any device that someone tries to pop into a slot. You can also disable empty ports by using the "port-id" parameter.

To start protecting your system, you can use the USBGuard shell command and its generate-policy sub-command to generate an initial policy for your system instead of writing one from scratch. The tool generates an allow policy for all devices currently connected to your system.

To do this, follow this example:

# usbguard generate-policy > rules.conf

# vi rules.conf (review/modify the rule set)

# sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf

# sudo systemctl restart usbguard

Once in place, you can get remarkably specific. For instance:

allow 1050:0011 name "Yubico Yubikey II" serial "0001234567" via-port "1-2" hash "044b5e168d40ee0245478416caf3d998" reject via-port "1-2"

This will let that device -- and no other -- run, but it'll only run if it's on a specific port.

So, if you don't want your servers or PCs leaking data to James Bond -- or some kid with a USB stick -- installing and mastering USBGuard is a must.

Related stories:

Editorial standards