Linux – Disable all USB devices but keyboard/mouse/flash-drive

kernel-moduleslinuxredhatusbvmware-esxi

For security reasons, I would like to make sure no USB device can be connected to my servers running RHEL3 except keyboards, mice and flash drives. To sum up :

What should work :

Mouse
Keyboard
USB storage device

What shouldn't work :

Printer
USB modem/NIC
Wifi dongle
anything else

Is there any other way than removing according kernel drivers ? If not, which files should be kept in order to keep functionality of accepted devices?

Side-note : some hosts are VMware VMs running on ESXi 4.1 or 5.0. That may be important since I think they may emulates important USB devices (I think about virtual DVD drives which I could need)

Best Answer

You can easily force and disable USB storage devices under any Linux distribution. The modprobe program used for automatic kernel module loading and can be configured to not load the USB storage driver upon demand. This will prevent the modprobe program from loading the usb-storage module, but will not prevent root (or another program) from using the insmod program to load the module manually.

Type the following command:

echo 'install usb-storage : ' >> /etc/modprobe.conf

You can also remove USB Storage driver, enter:

ls /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko

mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root

BIOS option

You can also disable USB from system BIOS configuration option. Make sure BIOS is password protected.

Grub option

You can get rid of all USB devices by disabling kernel support for USB via GRUB. Open grub.conf or menu.lst (Under Debian / Ubuntu Linux) and append "nousb" to the kernel line as follows:

kernel /vmlinuz-2.6.18-128.1.1.el5 ro root=LABEL=/ console=tty0 console=ttyS1,19200n8 nousb

Save and close the file. Once done just reboot the system:

reboot

Source

Related Solutions

Linux – How to make Windows 7 USB flash install media from Linux

OK, after unsuccessfully trying all methods mentioned here, I finally got it working. Basically, the missing step was to write a proper boot sector to the USB stick, which can be done from Linux with ms-sys or lilo -M. This works with the Windows 7 retail version.

Here is the complete rundown again:

Install ms-sys - if it is not in your repositories, get it here. Or alternatively, make sure lilo is installed (but do not run the liloconfig step on your local box if e.g. Grub is installed there!)

Check what device your USB media is assigned - here we will assume it is /dev/sdb. Delete all partitions, create a new one taking up all the space, set type to NTFS (7), and remember to set it bootable:

# cfdisk /dev/sdb or fdisk /dev/sdb (partition type 7, and bootable flag)

Create an NTFS filesystem:

# mkfs.ntfs -f /dev/sdb1

Write Windows 7 MBR on the USB stick (also works for windows 8), multiple options here:

# ms-sys -7 /dev/sdb
or (e.g. on newer Ubuntu installs) sudo lilo -M /dev/sdb mbr (info)
or (if syslinux is installed), you can run sudo dd if=/usr/lib/syslinux/mbr/mbr.bin of=/dev/sdb

Mount ISO and USB media:

# mount -o loop win7.iso /mnt/iso
# mount /dev/sdb1 /mnt/usb

Copy over all files:

# cp -r /mnt/iso/* /mnt/usb/ ...or use the standard GUI file-browser of your system

Call sync to make sure all files are written.

Open gparted, select the USB drive, right-click on the file system, then click on "Manage Flags". Check the boot checkbox, then close.

...and you're done.

After all that, you probably want to back up your USB media for further installations and get rid of the ISO file... Just use dd: # dd if=/dev/sdb of=win7.img

Note, this copies the whole device! — which is usually (much) bigger than the files copied to it. So instead I propose

# dd count=[(size of the ISO file in MB plus some extra MB for boot block) divided by default dd blocksize] if=/dev/sdb of=win7.img

Thus for example with 8 M extra bytes:

# dd count=$(((`stat -c '%s' win7.iso` + 8*1024*1024) / 512)) if=/dev/sdb of=win7.img status=progress

As always, double check the device names very carefully when working with dd.

The method creating a bootable USB presented above works also with Win10 installer iso. I tried it running Ubuntu 16.04 copying Win10_1703_SingleLang_English_x64.iso (size 4,241,291,264 bytes) onto an 8 GB USB-stick — in non-UEFI [non-secure] boot only. After execution dd reports: 8300156+0 records in 8300156+0 records out 4249679872 bytes (4.2 GB, 4.0 GiB) copied, 412.807 s, 10.3 MB/s

Reverse if/of next time you want to put the Windows 7 installer onto USB.

Recovering Bad USB Flash Drive

(Commands posted here work on UNIX systems as that's how I solve most of these types of problems)

Before doing much, I would make a copy of the current state of the Flash drive:

$ cat /dev/sdc > drivedump or: $ dd if=/dev/sdc of=drivedump bs=4k conv=noerror

Substitute sdc with the address of your drive. You can try to figure out what it should be by putting it in, and typing:

$ dmesg | less

And seeing what was created at the end. Should be /dev/sd and is probably the lowest letter that exists.

If the memory is going bad, you want to get everything off of it ASAP before it gets worse. If not, a copy won't hurt when you run tools on it.

Now that you have a copy of the drive, you have to figure out what got mangled. You can see if fdisk has some idea what the partition looked like:

/sbin/fdisk -l drivedump

If it gets very confused, you have a partition failure of some kind: you have to rebuild the partition table of the file. If it knows exactly what's up and it all looks right (one partition, and it's the size of the stick) then you can try mounting it to see if it works. If you're missing tons of files after mounting it, you can run any of the usual suspects of file recovery tools. I don't know what they are, but someone else can help with that :)

Make copies of that dump every time you mess with it... you don't want a tool to hose your only copy.