How to Block access of USB and CD/DVD in Debian and Derivatives

Now a days Security is an area where no compromise should be allowed at all. It doesn’t matters if you are using office, home or any other system, security is must in order to prevent unauthorized access or virus exposure. The most suspected area to intrusion is USB port as it is used in excess. USB ports are used for data transfers and other network connections also. Someone may also try to steal your data using Pen drives or so through USB ports, or may malfunction your system by exposing it to viruses and malware. Thus it is important to be safe from any intrusion and unauthorized access. In order to be secure you must lock USB ports in your systems.

As a Linux admin unlike other administrators, terminal is always my first choice, so i started with the terminal first.

Use the file system permissions to block the usb and CD-ROM devices.genarally all the removable disks are mount at /media.

To block:
sudo chmod 700 /media

This can be allow the root user only mount the removable disks not the normal users.

To unblock that use the following command.

To unblock:
sudo chmod 755 /media

The other method is using blacklist feature, this feature can be configured in blacklist.conf file

In Ubuntu or Debian-based operating systems, open the Terminal and edit the blacklist.conf file located in /etc/modprobe.d/ directory.

Use the following command to edit the blacklist.conf file

sudo gedit /etc/modprobe.d/blacklist.conf

The content of file is as follows

# This file lists those modules which we don't want to be loaded by
# alias expansion, usually so some other driver will be loaded for the
# device instead.

# evbug is a debug tool that should be loaded explicitly
blacklist evbug

# these drivers are very simple, the HID drivers are usually preferred
blacklist usbmouse
blacklist usbkbd

# replaced by e100
blacklist eepro100

# replaced by tulip
blacklist de4x5

# causes no end of confusion by creating unexpected network interfaces
blacklist eth1394

# snd_intel8x0m can interfere with snd_intel8x0, doesn't seem to support much
# hardware on its own (Ubuntu bug #2011, #6810)
blacklist snd_intel8x0m

# Conflicts with dvb driver (which is better for handling this device)
blacklist snd_aw2

# causes failure to suspend on HP compaq nc6000 (Ubuntu: #10306)
blacklist i2c_i801

# replaced by p54pci
blacklist prism54

# replaced by b43 and ssb.
blacklist bcm43xx

# most apps now use garmin usb driver directly (Ubuntu: #114565)
blacklist garmin_gps

# replaced by asus-laptop (Ubuntu: #184721)
blacklist asus_acpi

# low-quality, just noise when being used for sound playback, causes
# hangs at desktop session start (Ubuntu: #246969)
blacklist snd_pcsp

# ugly and loud noise, getting on everyone's nerves; this should be done by a
# nice pulseaudio bing (Ubuntu: #77010)
blacklist pcspkr

# EDAC driver for amd76x clashes with the agp driver preventing the aperture
# from being initialised (Ubuntu: #297750). Blacklist so that the driver
# continues to build and is installable for the few cases where its
# really needed.
blacklist amd76x_edac

Add the following two lines at the end of the file

# Block access to USB
blacklist usb_storage

Save the file and close it, then restart your system. Now your USB ports are disabled.

To enable the usb ports once again open the file and delete these lines or comment as follows.

# Block access to USB
#blacklist usb_storage

This can enable the Usb ports in your system.

One more simple method to add the usb-storage to blacklist files is as follows

modprobe -r usb-storage
echo blacklist usb-storage >> /etc/modprobe.d/blacklist

For CD-ROM simply remove the user from the ‘cdrom’ group. Then the user should not be able to access it.

Enjoy! Have a fun with Linux


One Response

  1. PascalLeBell

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.