Linux Disable USB Devices (Disable loading of USB Storage Driver)

last updated in Categories , , , , , , , , ,

In our research lab, would like to disable all USB devices connected to our HP Red Hat Linux based workstations. I would like to disable USB flash or hard drives, which users can use with physical access to a system to quickly copy sensitive data from it. How do I disable USB device support under CentOS Linux, RHEL version 5.x/6.x/7.x and Fedora latest version?

The USB storage drive automatically detects USB flash or hard drives. You can quickly force and disable USB storage devices under any Linux distribution. The modprobe program used for automatic kernel module loading. It can be configured not load the USB storage driver upon demand. This will prevent the modprobe program from loading the usb-storage module, but will not prevent root (or another privileged program) from using the insmod/modprobe program to load the module manually. USB sticks containing harmful malware may be used to steal your personal data. It is not uncommon for USB sticks to be used to carry and transmit destructive malware and viruses to computers. The attacker can target MS-Windows, macOS (OS X), Android and Linux based system.


usb-storage driver

The usb-storage.ko is the USB Mass Storage driver for Linux operating system. You can see the file typing the following command:
# ls -l /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko
All you have to do is disable or remove the usb-storage.ko driver to restrict to use USB devices on Linux such as:

  1. USB keyboards
  2. USB mice
  3. USB pen drive
  4. USB hard disk
  5. Other USB block storage

How to forbid to use USB-storage devices on using fake install method

Type the following command under CentOS or RHEL 5.x or older:
# echo 'install usb-storage : ' >> /etc/modprobe.conf
Please note that you can use : a shell builtin or /bin/true.
Type the following command under CentOS or RHEL 6.x/7.x or newer (including the latest version of Fedora):
# echo 'install usb-storage /bin/true' >> disable-usb-storage.conf
Save and close the file. Now the driver will not load. You can also remove USB Storage driver without rebooting the system, enter:
# modprobe -r usb-storage
# mv -v /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root/
#### verify it ###
# modinfo usb-storage
# lsmod | grep -i usb-storage
# lsscsi -H

Sample outputs:

Fig.01: How to disable USB mass storage devices on physical Linux system?
Fig.01: How to disable USB mass storage devices on physical Linux system?

Blacklist usb-storage

Edit /etc/modprobe.d/blacklist.conf, enter:
# vi /etc/modprobe.d/blacklist.conf
Edit or append as follows:

blacklist usb-storage

Save and close the file.

BIOS option

You can also disable USB from system BIOS configuration option. Make sure BIOS is password protected. This is recommended option so that nobody can boot it from USB.

Encrypt hard disk

Linux supports the various cryptographic techniques to protect a hard disk, directory, and partition. See "Linux Hard Disk Encryption With LUKS [ cryptsetup Command ]" for more info.

Grub option

You can get rid of all USB devices by disabling kernel support for USB via GRUB. Open grub.conf or menu.lst and append "nousb" to the kernel line as follows (taken from RHEL 5.x):

kernel /vmlinuz-2.6.18-128.1.1.el5 ro root=LABEL=/ console=tty0 console=ttyS1,19200n8 nousb

Make sure you remove any other reference to usb-storage in the grub or grub2 config files. Save and close the file. Once done just reboot the system:
# reboot
For grub2 use /etc/default/grub config file under Fedora / Debian / Ubuntu / RHEL / CentOS Linux. I strongly suggest that you read RHEL/CentOS grub2 config and Ubuntu/Debian grub2 config help pages.


Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

34 comment

  1. Someone with physical access to the computer can still easily transfer the “sensitive” files to another computer or enable the USB by using a bootable media. I would not bother with “protection” that does not protect.

  2. I am using the same method to deny the access

    Edit /etc/modprobe.conf
    and added the entry
    install usb_storage wall “Critical device malfunction! Drive will be formatted”
    Save it

  3. @Humberto Massa:
    “…by using a bootable media” which is then secured against via disabling BIOS Boot Order (Floppy/USB/CD, then HDD, etc.)+BIOS password. One could maintain the USB bridge active, however.

    It’s accepted fact the majority of data theft occurs fr in-house, disgruntled employees. This HOW-TO keeps USB abilities for admins, but locks out users.

    Troll attempt fail. Go back to 4chan.

  4. Can any one tell me how to get out of it means, I was able to disable the driver using the second option :

    You can also remove USB Storage driver, enter:
    # ls /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko
    # mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root

    But now I do not know how to enable it back

    1. Copy back driver and load drive into system:

      mv /root/usb-storage.ko  /lib/modules/$(uname -r)/kernel/drivers/usb/storage/
      modprobe usb-storage
      1. I am using this command but Usb not blocking & when i put the pen drive is laptop showing the all files & folders.

        what i will do ?

  5. insert the module by using insmod command.

    insmod /lib/modules/$(uname -r)/kernel/drivers/usb/storage/
    modprobe usb-storage.ko

  6. Thanks Mohan,
    I will definitely try that out and let u know …..

    Thanks alot again for the help.

  7. This only works but after I restart my Lucid Lynx, the USB device storage is mounted again on the desktop.

    I’ve already tried.

    sudo gedit /etc/rc.local/

    sudo rmmod usb_storage
    sudo modprobe -r usb_storage

    echo ‘install usb-storage : ‘ >> /etc/modprobe.conf

    ls /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko
    mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root

    How do I really unmount it?

    Nothing works for me!!!

  8. what OS & version is yours?

    if ubuntu only what you have to do is:

    ls /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko
    mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root


    after that you may check “dmsg” for any bugs accruing

  9. Hi JAS, yes I’ve tried what you said, to REBOOT, but try this:

    *assuming you’ve already DISABLED USB Storage Device AutoMount in Lucid Lynx*

    1. Turn OFF computer
    2. Insert any USB Storage Device
    3. Turn ON computer & boot to your desktop
    4. Wala! USB Storage Device is alive & kicking in there!

  10. Nevermind, I solved it by:

    sudo gconf-editor

    Uncheck & Set As Default:


    Thanks. :)

  11. After sometime, none of this still worked for me, I tried to mount a Seagate USB external Hard Disk, and somehow it MOUNTED!

    Ubuntu, what a shame.

    So I though of a quick and dirty fix.

    sudo chmod 000 /media

    Try to mount your media you suckers. I kid, I kid.

  12. So I guess, it’s a little TOO Extreme to 000 /media entirely.

    Finally, after reading a lot of tutorials and howto’s. vivitek can you update your post. Really, this tutorial doesn’t work for me.

    As it turns out, try leaving your usb device storage in your computer port and reboot, see that it will automount even though you’ve removed usb-storage.ko.

    After further investigation, I found out the reason why, when I boot, I noticed usb_storage module is still Loaded, dunno, where the kernel gets it from, since I already removed it as stated in this tutorial.

    Check it for yourself:

    lsmod | grep usb

    So I just inserted rmmod usb_storage in the /rc.local of my Ubuntu so it doesn’t get a module upon insertion, of course, remove also the usb-storage.ko from your kernel, beware, upon kernel NEW INSTALL, it will be back there again. So lock your kernel versions!


    Hope this is my final solution. Thanks.

  13. sorry……
    by just moving /lib/modules/2.6.18-164.el5/kernel/drivers/usb/storage/usb-storage.ko to /root doesnt work…..
    i think there is something more to do……..
    pls do rply if anyone has a sugession……..

  14. ah… alas i found some simple way to get through…
    For disabling using cmd——————————————
    jst move the modules to some other location other than the default..
    #mv /lib/modules/2.6.18-164.el5/kernel/drivers/usb/storage/usb-storage.ko /root(or to any other place)
    this is for mass storage blocking….
    for blocking other usb connections like netsetter etc use the cmd below
    #mv /lib/modules/2.6.18-164.el5/kernel/drivers/usb/serial/usbserial.ko /root
    2.6.18-164.el5 is my kernal version.. u could view ur version by #uname -r
    For enabling—– do he revrse! bring the file back
    #mv /root/usb-storage.ko /lib/modules/2.6.18-164.el5/kernel/drivers/usb/storage/usb-storage.ko
    #mv /root/usbserial.ko /lib/modules/2.6.18-164.el5/kernel/drivers/usb/serial/usbserial.ko
    After that type #modprobe -a usbserial
    #modprobe -a usb_storage
    ————————SIMPLEST WAY IS TO BLOCK in GRUB——————————
    Open the /etc/grub.conf and edit the kernal line and insert ‘nousb’
    kernel /boot/vmlinuz-2.6.18-164.el5 ro root=LABEL=/ nousb rhgb quiet
    and U’r done……….
    wen u need to enable just edit and remove ‘nousb’ and reboot

    1. Hey Ganesh, thanks.. Its working.. I think u have vast knowledge in linux. I would like to know more about linux.. how can i contact u??

  15. hi, guys.

    to remove the driver, move it
    # mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root

    and update the initramfs
    # update-initramfs -k all -c -v

    after updating initramfs , surelly it will not reapear.


  16. Worked for me using Grub Method ,it worked perfectly and i think it disabled also the USB Power ,cuz im not seeing Led’s lighted in my keyboard.

  17. hey, i m using fedora & i want to block all the USB’s & give access to a particular usb device..
    I tried changin kernel entries using grub command but it is completely blocking all the usbs
    can anyone help me?

  18. i tried mv command to disable the worked but when i try to enable it using modprobe usb-storage or insmod command it me warning with the previous as depreciated config file /etc/modprobe.conf ,all config files belong in /etc/modprobe.d
    what to do?plz help me.its urgent

  19. I dont have that modprobe.conf file in my etc folder.

    [abdmajid@oc2382561007 ~]$ ls /etc/ | grep -i modprobe
    [abdmajid@oc2382561007 ~]$ ls /etc/modprobe.d/
    blacklist.conf disable-ipv6.conf dist-oss.conf iwlagn.conf
    blacklist-kvm.conf dist-alsa.conf ibm-sound.conf iwlwifi.conf
    blacklist-toshiba_acpi.conf dist.conf iwl3945.conf

  20. nousb in Grub is great except when the server has a usb keyboard like Dell’s.

    Still, have a question? Get help on our forum!