How To Protect USB Ports in Linux
How to protect USB ports through BIOS protection, and we show you how to use, install and validate USBguard in Linux.
One of the hardware components that are essential when performing multiple tasks in any operating system is the USB ports since in them we can connect hundreds of devices that have this type of connection such as USB memories, digital cameras, mobile devices and many more.
Protect BIOS in Linux
The first step that we can take as users or system administrators is to protect the system startup, or boot, with a password, as this way, if the machine should be left free for a period of time, we will prevent unauthorized persons from having The access to the information.
If we want to establish a password at the start of the operating system we must restart, or start if the computer is turned off, the system and press the keys “Esc”, “F2”, “Delete” or the one indicated by the manufacturer to access to the BIOS. Once there we go to the “Security” tab and go to the “Password on Boot” line:
For this option to be active we must define a password in the line “Set User Password”.
Pressing “Enter” on this line will display the following option where we will select the “Enabled” option. Once the password is enabled, press the “F10” key to save the changes.
In this way when the system starts we will see the following:
How To Use & Install USBGuard on Linux
Now, one of the best applications to protect Linux environments at the USB port level since USBGuard has been designed to help protect the computer against dangerous USB devices by implementing basic white lists and blacklisting capabilities based on the attributes of the USB port. USB device.
These malicious USB devices are also known as BadUSB.
For the installation of USBGuard in Linux as we have mentioned we will use Ubuntu 17.04 and for this we will execute the following:
sudo apt install usbguard
To start the authorization process of a USB device through USBGuard we will execute the following lines:
sudo usbguard generate-policy > rules.conf sudo nano rules.conf
Once we access the file we will see the following:
In these lines all the devices that are currently connected to the equipment will be added and authorized.
We can eliminate or comment on the lines of the devices that we do not want to authorize.
To authorize a device we will execute the following lines:
sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf sudo systemctl restart usbguard
How To Verify USBGuard in Linux
At this time any USB device that we connect will be detected, but it will not work. To list the connected USB devices we will execute the following:
There we can see the USB device that we have connected, Kingston Digital.
To add this device to the list of allowed devices we will go to the following file:
sudo nano /etc/usbguard/rules.conf
There we must add the ID of the USB device to be authorized in the final part of the file:
Save the changes using the following keys Ctrl + O and exit the editor using the keys Ctrl + X.
We must restart the USBGuard service by running:
sudo systemctl restart usbguard
Now simply disconnect and reconnect the USB and we can access it from the browser as usual.
So Linux will allow the execution of the devices that comply with the ID that we have added, otherwise they will be rejected.
We have seen how we have practical options to add security options at the USB port level in Linux environments.