Buzz
USB Killer devices can fry all USB ports and destroy your motherboard by charging capacitors from the USB port and increasing voltage. This process repeats until the host dies. Therefore, implementing methods to protect USB ports on Linux computers will help minimize these risks.
Basic Knowledge
Before elaborating on various methods to protect USB ports on Linux computers, familiarize yourself with these simple rules:
- Never plug in a USB drive you find lying around.
- Avoid randomly connecting USB drives to your computer.
- You can ask trusted individuals (friends or colleagues) to send data files through cloud services.
Establish BIOS protection password
In the event that your computer lacks security settings, accessing it is relatively straightforward. Attackers could create a bootable USB drive, boot your computer from that USB drive, and access all non-encrypted files and data on your device.
On Windows computers, you can bypass user passwords and instead use a Basic Input Output System (BIOS) password for protection. This means the password must be entered before boot options appear.
Each manufacturer has a different way to access the BIOS. To access BIOS on your computer, you can refer to the manufacturer's documentation. Typically, accessing BIOS is done by continuously pressing the Delete key during startup. Setting up a BIOS password is found in the Security section.
USBGuard Utility
If you don't have the habit of checking or monitoring your computer or server, you can use a utility called USBGuard to prevent attacks.
This utility is designed to safeguard your USB devices from malicious software known as BadUSB. For instance, USB devices can emulate keyboards and execute user login commands, mimic network cards, and alter DNS settings on computers to redirect traffic.
USBGuard prevents unauthorized USB devices by utilizing blacklist and whitelist features, with the ideal feature of allowing only trusted USB devices to operate.
When you plug in a USB device or hub, USBGuard first scans the device. Then it configures the file to check if the device is allowed. USBGuard's standout feature is its use of functionality directly implemented in the Linux kernel.
If you're using Ubuntu 16.10 or later, you can install USBGuard with the command:
sudo apt install usbguard
If you're running an older version of Ubuntu, you can refer to GitHub for instructions on how to install USBGuard.
In the following guide, you'll learn how to authorize a device with a specific id. To start, use the command:
usbguard generate-policy > rules.conf
nano rules.conf
Review the policies added. This step allows you to add and authorize everything currently plugged into the computer; you can remove devices you don't want to authorize.
sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
sudo systemctl restart usbguard
Device Verification
From now on, any other devices connected to your computer won't function even though the computer detects them. IPlug in the USB drive verifies the operational status of devices by running lsusb to list all USB devices connected to the system. Note down the SanDisk id for later use.
Although devices are detected in Ubuntu, there are no signs of them being mounted.
To add these devices to the list of authorized devices, run the following command:
sudo nano /etc/usbguard/rules.conf
Next, add the SanDisk id to the rules.conf file to designate that device as one of the authorized devices.
All you need to do is restart the USBGuard service:
sudo systemctl restart usbguard
All you need to do now is unplug the USB drive and then plug it back in. USBGuard will check rules.conf, recognize the id as an authorized device, and allow the USB to operate.
Immediately, your device will be ready to use. This simple solution enables devices to function based on their id.
To obtain a specific id, you can add a rule to rules.conf along with:
allow 0781:5151 name 'SanDisk Corp. Cruzer Micro Flash Drive' serial '0001234567' via-port '1-2'
reject via-port '1-2'
The rules above only allow one device paired with one id, name, connected to a specific port. A reject rule doesn't permit any other device to be plugged into that port.
Avoid Direct USB Connection
USBGuard can't protect you from the notorious USB Killer. What can you do if you're in control of the USB ports but still need to plug a suspicious USB drive into your computer? A USB hub will be your choice.
One advantage of using a USB hub is the availability of device accessories and affordability. Instead of plugging USB devices directly into the computer, you can plug them into the USB ports on the hub. If the USB drive you plug in is a USB Killer, it will only destroy the USB hub while your computer remains safe.
Another option is to use USG. This device acts as a hardware firewall between suspicious USB devices and your computer. USG is compatible with mice, keyboards, and USB flash drives, helping to defend against BadUSB by filtering out dangerous activities and allowing necessary data to pass through.
Depending on your working environment, here are some ways to protect USB ports on Linux computers that Mytour has just introduced. If you're using the Windows operating system, you can also explore the best USB protection software to prevent virus and malware spreading, which could affect your system.
If you have any doubts or questions that need clarification, feel free to leave your comments in the comment section below the article.
