Linux Disable USB Devices (Disable loading of USB Storage Driver)

by on March 16, 2009 · 32 comments· LAST UPDATED March 16, 2009

in , ,

In our research lab I'd like to disable all USB devices connected to our HP Red Hat Linux based workstations. I'd like to disable USB flash or hard drives, which users can use with physical access to a system to quickly copy sensitive data from it. How do I disable USB device support under RHEL 5.x workstation operating systems?

The USB storage drive automatically detects USB flash or hard drives. You can easily force and disable USB storage devices under any Linux distribution. The modprobe program used for automatic kernel module loading and can be configured to not load the USB storage driver upon demand. This will prevent the modprobe program from loading the usb-storage module, but will not prevent root (or another program) from using the insmod program to load the module manually.

Type the following command:
# echo 'install usb-storage : ' >> /etc/modprobe.conf

You can also remove USB Storage driver, enter:
# ls /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko
# mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root

BIOS option

You can also disable USB from system BIOS configuration option. Make sure BIOS is password protected.

Grub option

You can get rid of all USB devices by disabling kernel support for USB via GRUB. Open grub.conf or menu.lst (Under Debian / Ubuntu Linux) and append "nousb" to the kernel line as follows:

kernel /vmlinuz-2.6.18-128.1.1.el5 ro root=LABEL=/ console=tty0 console=ttyS1,19200n8 nousb

Save and close the file. Once done just reboot the system:
# reboot

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 32 comments… read them below or add one }

1 Humberto Massa March 16, 2009 at 4:24 pm

Someone with physical access to the computer can still easily transfer the “sensitive” files to another computer or enable the USB by using a bootable media. I would not bother with “protection” that does not protect.

Reply

2 Liju March 17, 2009 at 10:14 am

I am using the same method to deny the access

Edit /etc/modprobe.conf
and added the entry
install usb_storage wall “Critical device malfunction! Drive will be formatted”
Save it

Reply

3 The Doctor April 25, 2009 at 2:04 am

@Humberto Massa:
“…by using a bootable media” which is then secured against via disabling BIOS Boot Order (Floppy/USB/CD, then HDD, etc.)+BIOS password. One could maintain the USB bridge active, however.

It’s accepted fact the majority of data theft occurs fr in-house, disgruntled employees. This HOW-TO keeps USB abilities for admins, but locks out users.

Troll attempt fail. Go back to 4chan.

Reply

4 hasan mubarak naqvi June 2, 2009 at 9:56 am

Can any one tell me how to get out of it means, I was able to disable the driver using the second option :

You can also remove USB Storage driver, enter:
# ls /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko
# mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root

But now I do not know how to enable it back

Reply

5 nixCraft June 2, 2009 at 10:55 am

Copy back driver and load drive into system:

mv /root/usb-storage.ko  /lib/modules/$(uname -r)/kernel/drivers/usb/storage/
modprobe usb-storage

Reply

6 chinmay July 15, 2011 at 6:46 am

I am using this command but Usb not blocking & when i put the pen drive is laptop showing the all files & folders.

what i will do ?

Reply

7 Mohanraj Subramaniam August 14, 2009 at 12:51 pm

insert the module by using insmod command.

insmod /lib/modules/$(uname -r)/kernel/drivers/usb/storage/
modprobe usb-storage.ko

Reply

8 hasan mubarak naqvi August 15, 2009 at 11:26 am

Thanks Mohan,
I will definitely try that out and let u know …..

Thanks alot again for the help.

Reply

9 ragesh December 8, 2009 at 6:07 am

dear sir,
how to disable pendrive in domain user ? please give me replay

Reply

10 Live July 26, 2010 at 1:59 am

This works great!

Reply

11 Live July 27, 2010 at 1:33 pm

This only works but after I restart my Lucid Lynx, the USB device storage is mounted again on the desktop.

I’ve already tried.

sudo gedit /etc/rc.local/

sudo rmmod usb_storage
sudo modprobe -r usb_storage

echo ‘install usb-storage : ‘ >> /etc/modprobe.conf

ls /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko
mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root

How do I really unmount it?

Nothing works for me!!!

Reply

12 JAS August 15, 2010 at 7:11 am

what OS & version is yours?

if ubuntu only what you have to do is:

ls /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko
mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root

reboot

after that you may check “dmsg” for any bugs accruing

Reply

13 Live October 21, 2010 at 7:45 am

Hi JAS, yes I’ve tried what you said, to REBOOT, but try this:

*assuming you’ve already DISABLED USB Storage Device AutoMount in Lucid Lynx*

1. Turn OFF computer
2. Insert any USB Storage Device
3. Turn ON computer & boot to your desktop
4. Wala! USB Storage Device is alive & kicking in there!

Reply

14 Live October 21, 2010 at 10:27 am

Nevermind, I solved it by:

sudo gconf-editor

Uncheck & Set As Default:

apps>nautilus>preferences>media_automount

Thanks. :)

Reply

15 Live October 24, 2010 at 12:27 pm

After sometime, none of this still worked for me, I tried to mount a Seagate USB external Hard Disk, and somehow it MOUNTED!

Ubuntu, what a shame.

So I though of a quick and dirty fix.

sudo chmod 000 /media

Try to mount your media you suckers. I kid, I kid.

Reply

16 vimal September 3, 2012 at 5:52 am

thanks… your command is very helpfull me

Reply

17 Live October 24, 2010 at 3:56 pm

So I guess, it’s a little TOO Extreme to 000 /media entirely.

Finally, after reading a lot of tutorials and howto’s. vivitek can you update your post. Really, this tutorial doesn’t work for me.

As it turns out, try leaving your usb device storage in your computer port and reboot, see that it will automount even though you’ve removed usb-storage.ko.

After further investigation, I found out the reason why, when I boot, I noticed usb_storage module is still Loaded, dunno, where the kernel gets it from, since I already removed it as stated in this tutorial.

Check it for yourself:

lsmod | grep usb

So I just inserted rmmod usb_storage in the /rc.local of my Ubuntu so it doesn’t get a module upon insertion, of course, remove also the usb-storage.ko from your kernel, beware, upon kernel NEW INSTALL, it will be back there again. So lock your kernel versions!

Whew.

Hope this is my final solution. Thanks.

Reply

18 Priyanka February 21, 2014 at 10:15 am

Hey thanks.. it works for me !!

Reply

19 Nima December 17, 2010 at 10:11 pm

thanks! but i cant disable usb storage with this way! i use debian, please help me! :-s

mv …. dont work!

Reply

20 Ganesh January 25, 2011 at 3:06 pm

sorry……
by just moving /lib/modules/2.6.18-164.el5/kernel/drivers/usb/storage/usb-storage.ko to /root doesnt work…..
i think there is something more to do……..
pls do rply if anyone has a sugession……..

Reply

21 Ganesh January 25, 2011 at 6:04 pm

ah… alas i found some simple way to get through…
For disabling using cmd——————————————
jst move the modules to some other location other than the default..
#mv /lib/modules/2.6.18-164.el5/kernel/drivers/usb/storage/usb-storage.ko /root(or to any other place)
this is for mass storage blocking….
for blocking other usb connections like netsetter etc use the cmd below
#mv /lib/modules/2.6.18-164.el5/kernel/drivers/usb/serial/usbserial.ko /root
2.6.18-164.el5 is my kernal version.. u could view ur version by #uname -r
For enabling—– do he revrse! bring the file back
#mv /root/usb-storage.ko /lib/modules/2.6.18-164.el5/kernel/drivers/usb/storage/usb-storage.ko
#mv /root/usbserial.ko /lib/modules/2.6.18-164.el5/kernel/drivers/usb/serial/usbserial.ko
After that type #modprobe -a usbserial
#modprobe -a usb_storage
————————SIMPLEST WAY IS TO BLOCK in GRUB——————————
Open the /etc/grub.conf and edit the kernal line and insert ‘nousb’
kernel /boot/vmlinuz-2.6.18-164.el5 ro root=LABEL=/ nousb rhgb quiet
#reboot
and U’r done……….
wen u need to enable just edit and remove ‘nousb’ and reboot
———————————ThankYou————————————————————–

Reply

22 ArunMohan January 31, 2011 at 10:31 am

Hey Ganesh, thanks.. Its working.. I think u have vast knowledge in linux. I would like to know more about linux.. how can i contact u??

Reply

23 Ganesh January 31, 2011 at 11:58 am

thnk u arun…..
do keep in touch…. post your doubts here……
we’l do the bst to slve them…….

Reply

24 dennis February 21, 2011 at 2:50 am

hi, guys.

to remove the driver, move it
# mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root

and update the initramfs
# update-initramfs -k all -c -v

after updating initramfs , surelly it will not reapear.

reboot

Reply

25 Burim Shala March 2, 2011 at 9:13 am

Worked for me using Grub Method ,it worked perfectly and i think it disabled also the USB Power ,cuz im not seeing Led’s lighted in my keyboard.

Reply

26 shweta April 14, 2011 at 4:51 pm

hey, i m using fedora & i want to block all the USB’s & give access to a particular usb device..
I tried changin kernel entries using grub command but it is completely blocking all the usbs
can anyone help me?

Reply

27 Amar February 16, 2012 at 6:35 am

#block only local user not a root
sudo chmod 700 /media

Reply

28 Josir May 2, 2013 at 4:38 pm

Best and more elegant solution of all.

Reply

29 razvi September 19, 2011 at 3:01 am

thnk u dennis

Reply

30 rupam September 27, 2011 at 11:05 am

i tried mv command to disable the usb.it worked but when i try to enable it using modprobe usb-storage or insmod command it fails.gives me warning with the previous as depreciated config file /etc/modprobe.conf ,all config files belong in /etc/modprobe.d
what to do?plz help me.its urgent

Reply

31 darrell February 10, 2012 at 7:56 am

None of these work, is there no proper site for Linux commands

Reply

32 Abdul Majid Mohammed January 15, 2014 at 7:46 am

I dont have that modprobe.conf file in my etc folder.

[abdmajid@oc2382561007 ~]$ ls /etc/ | grep -i modprobe
modprobe.d
[abdmajid@oc2382561007 ~]$ ls /etc/modprobe.d/
blacklist.conf disable-ipv6.conf dist-oss.conf iwlagn.conf
blacklist-kvm.conf dist-alsa.conf ibm-sound.conf iwlwifi.conf
blacklist-toshiba_acpi.conf dist.conf iwl3945.conf

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: