{"id":541334,"date":"2023-01-19T20:00:00","date_gmt":"2023-01-19T17:00:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-protect-your-linux-computer-from-rogue-usb-drives\/"},"modified":"2023-01-19T20:00:00","modified_gmt":"2023-01-19T17:00:00","slug":"how-to-protect-your-linux-computer-from-rogue-usb-drives","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-protect-your-linux-computer-from-rogue-usb-drives\/","title":{"rendered":"#How to Protect Your Linux Computer From Rogue USB Drives"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a300e4b4bedd\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a300e4b4bedd\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-protect-your-linux-computer-from-rogue-usb-drives\/#%E2%80%9CHow_to_Protect_Your_Linux_Computer_From_Rogue_USB_Drives%E2%80%9D\" >&#8220;How to Protect Your Linux Computer From Rogue USB Drives&#8221;<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-protect-your-linux-computer-from-rogue-usb-drives\/#The_USB_Memory_Stick_and_Its_Dangers\" >The USB Memory Stick and Its Dangers<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-protect-your-linux-computer-from-rogue-usb-drives\/#What_Is_USBGuard\" >What Is USBGuard?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-protect-your-linux-computer-from-rogue-usb-drives\/#Normal_Behavior_With_USB_Sticks_on_Linux\" >Normal Behavior With USB Sticks on Linux<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-protect-your-linux-computer-from-rogue-usb-drives\/#Installing_USBGuard\" >Installing USBGuard<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-protect-your-linux-computer-from-rogue-usb-drives\/#Configuring_a_Base_Policy\" >Configuring a Base Policy<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-protect-your-linux-computer-from-rogue-usb-drives\/#Adding_Another_USB_Device\" >Adding Another USB Device<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-protect-your-linux-computer-from-rogue-usb-drives\/#Removing_a_USB_Devices_Access\" >Removing a USB Device\u2019s Access<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9CHow_to_Protect_Your_Linux_Computer_From_Rogue_USB_Drives%E2%80%9D\"><\/span>&#8220;How to Protect Your Linux Computer From Rogue USB Drives&#8221;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<div>\n<figure style=\"width: 1199px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage wp-image-864898 size-full\" data-pagespeed-no-defer=\"\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/freer-shutterstock_697210159.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Person's hand plugging a USB drive into a computer.\" width=\"1199\" height=\"673\" data-crediturl=\"https:\/\/www.shutterstock.com\/image-photo\/hand-putting-usb-flash-drive-laptop-697210159\" data-credittext=\"Freer\/Shutterstock.com\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/hand-putting-usb-flash-drive-laptop-697210159\">Freer\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n<p>Install USBGuard to control and manage which thumb drives can be used on your Linux computer. Acting as a sort of firewall for USB devices, it lets you create a set of rules that allow, block, or reject specific drives.<\/p>\n<p>USB memory sticks can be used to steal data from your Linux computer. USBGuard lets you set rules governing the use of USB memory sticks, like a firewall for USB storage devices. Here\u2019s how it works and how you can set it up.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"The_USB_Memory_Stick_and_Its_Dangers\"><\/span>The USB Memory Stick and Its Dangers<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>We\u2019ve probably all got at least one <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/795657\/best-usb-flash-drive\/\">USB memory stick or USB storage device like a USB external drive. They\u2019re cheap, effective, portable, and easy to use.<\/p>\n<p>Nowadays you can just plug one into your Linux computer to have it identified as a storage device and mounted automatically. Gone are the days of having to mount them by hand on the command line. This convenience means anyone can put one into a Linux computer and copy data off the USB drive onto the computer, or from the computer onto the memory stick.<\/p>\n<p>If other people use your computer you might want to limit what they can do with USB memory sticks. If your computer is in your home, it\u2019s unlikely that an opportunist with malicious intent will walk by when your computer is on and unattended, but that can h<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>en in a workplace.<\/p>\n<p>But even with a computer in your family home, you might want to limit USB access. Perhaps your kids regularly have friends over to play. Locking down USB access is a sensible precaution to stop them from inadvertently causing issues.<\/p>\n<p>When someone finds a USB drive there\u2019s an im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>te desire to plug it into something to see what\u2019s on it. Cyber threats that target Linux computers are much rarer than those designed for Windows computers, but they still exist.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"What_Is_USBGuard\"><\/span>What Is USBGuard?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>USBGuard can protect you against software-based threats that are distributed on compromised USB memory sticks, such as <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/devops\/badusb-the-cyber-threat-that-gets-you-to-plug-it-in\/\">BadUSB, where the attack commences when you\u2019re manipulated into opening what looks like a document but is a disguised executable. USBGuard cannot protect you against hardware-based threats such as\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/USB_Killer\">USB Killer<\/a>\u00a0devices that cause physical harm to your computer by releasing a high-voltage discharge into your machine.<\/p>\n<p>Actually, USBGuard allows you to set up rules for all manner of different USB devices, including mice, webcams, and keyboards. It\u2019s not just for USB memory sticks. Your computer knows the ID of each USB device, so you can choose which USB devices work in your computer, and which cannot. It\u2019s something like a firewall for USB connectivity.<\/p>\n<blockquote class=\"admonishment_warning\"><p><strong>Warning:<\/strong> The USBGuard daemon runs as soon as it is installed. Make sure you configure USBGuard straight after installing it. If you don\u2019t, all your USB devices will be blocked when you reboot your computer.<\/p><\/blockquote>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Normal_Behavior_With_USB_Sticks_on_Linux\"><\/span>Normal Behavior With USB Sticks on Linux<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Before we do anything, we\u2019ll check the default behavior on our <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/837565\/whats-new-in-ubuntu-22.10-kinetic-kudu\/\">Ubuntu 22.10 computer. It\u2019s a simple process. We insert a USB memory stick and see what happens.<\/p>\n<p>We hear an audible alert sound, and a memory stick icon appears in the dock.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-864902\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/5-3.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"150\" height=\"270\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Opening the file browser shows an entry has been added to the list of locations in the sidebar. The name displayed is the one given to the device when it was formatted.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-864903\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/6-2.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"240\" height=\"185\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Opening a terminal and using the <code>lsusb<\/code> command\u00a0lists the connected USB devices. The top entry is the memory stick in question, which happens to be a TDK-branded device.<\/p>\n<pre>lsusb<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-864904\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/7-2.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Using lsusb to list connected USB devices\" width=\"644\" height=\"150\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p><strong>RELATED:<\/strong> <strong><em>How to List Your Computer&#8217;s Devices From the Linux Terminal<\/em><\/strong><\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Installing_USBGuard\"><\/span>Installing USBGuard<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>USBGuard has dependencies on <code>usbutils<\/code> and <code>udisks2<\/code> . On the latest <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/430556\/why-i-switched-from-ubuntu-to-manjaro-linux\/\">Manjaro, Fedora, and Ubuntu builds that we tested, these were already installed.<\/p>\n<p>To install USBGuard on Ubuntu, use this command:<\/p>\n<pre>sudo apt install usbguard<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-864905\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/3-2.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Installing USBGuard on Ubuntu with apt\" width=\"644\" height=\"55\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>On Fedora you need to type:<\/p>\n<pre>sudo dnf install usbguard<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-864907\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/2-3.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Installing USBGuard on Fedora with dnf\" width=\"644\" height=\"55\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>On Manjaro, the command is:<\/p>\n<pre>sudo pacman -S usbguard<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-864908\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/1-3.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Installing USBGuard on Manjaro with pacman\" width=\"644\" height=\"55\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Configuring_a_Base_Policy\"><\/span>Configuring a Base Policy<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>USBGuard has a neat trick. It has a command that creates a rule allowing all currently connected USB devices to continue work unhindered. That means you can create a baseline configuration for all of your always-required devices. This set of rules is called a base policy.<\/p>\n<p>USBGuard uses three types of rules.<\/p>\n<ul>\n<li><strong>Allow<\/strong>: Allow rules permit a specified device to operate unhindered, as normal. This is used for devices that are always connected, such as wired keyboards, mice, trackballs, webcams, and so on. It is also used for devices that are connected intermittently, and which are known and trusted.<\/li>\n<li><strong>Block<\/strong>: Block rules prevent USB devices from operating. The USB device is not visible to the user at all.<\/li>\n<li><strong>Reject<\/strong>: Reject rules also prevent USB devices from operating, but the USB device is visible to the user using <code>lsusb<\/code>.<\/li>\n<\/ul>\n<p>USBGuard has a neat trick. It has a command that will create a base policy with an allow rule for each of the\u00a0<em>currently connected<\/em>\u00a0USB devices. This is a great way to quickly configure devices that are always connected to your computer, like keyboards and webcams. It is also a convenient way to capture trusted, intermittent devices. Just make sure all of your trusted devices are connected to your computer when you issue the command.<\/p>\n<p>An odd quirk requires you to do this as <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/737563\/what-is-root-on-linux\/\">root. Using <code>sudo<\/code> with the command doesn\u2019t work. We need to use <code>sudo -i<\/code> (login) command to open a shell as root, <em>then<\/em> issue the command. Make sure you use the <code>exit<\/code> command to leave the root login session once you\u2019ve finished.<\/p>\n<pre>sudo -i<\/pre>\n<pre>usbguard generate-policy -X -t reject &gt; \/etc\/usbguard\/rules.conf<\/pre>\n<pre>exit<\/pre>\n<p>The <code>-X<\/code> (\u2013no-hashes) option prevents USBGuard from generating hash attributes for each device. The <code>-t<\/code> (target) option sets a default target for all unrecognized USB devices. In our case we\u2019ve chosen \u201creject.\u201d We could also have chosen \u201cblock.\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-864909\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/8-2.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Creating a base USBGuard policy with a root terminal session\" width=\"644\" height=\"150\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>To see our new rules, we can use <code>cat<\/code>.<\/p>\n<pre>sudo cat \/etc\/usbguard\/rules.conf<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-864915\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/9-2.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Using cat to list the auto-generated rules in \/etc\/usbguard\/rules.conf\" width=\"644\" height=\"210\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>On our test computer, this detected three USB devices and created \u201callow\u201d rules for them. It added \u201creject\u201d as the target for all other USB devices.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Adding_Another_USB_Device\"><\/span>Adding Another USB Device<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Now, if we plug in the same USB memory stick we used earlier, it isn\u2019t permitted to operate. It isn\u2019t added to the dock, it isn\u2019t added to the file browser, and we don\u2019t get an audible alert.<\/p>\n<p>But because we used a \u201creject\u201d target for unrecognized devices, <code>lsusb<\/code> can list its details.<\/p>\n<pre>lsusb<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-864919\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/10-2.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Using lsusb to list connected USB devices\" width=\"644\" height=\"150\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>If we\u2019d used a \u201cblock\u201d target in our base policy, we would need to use the <code>list-devices<\/code> command with the <code>-b<\/code> (blocked devices) option.<\/p>\n<pre>sudo usbguard list-devices -b<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-864926\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/11-3.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Using the list-devices command to list blocked, connected, devices\" width=\"644\" height=\"150\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>This shows the currently connected, but blocked, USB devices.<\/p>\n<p>We\u2019ll use some of the information from this command to allow our rejected USB device to have temporary access or permanent access.\u00a0To give our device temporary access, we\u2019ll use the device ID number. In our example this is \u201c10.\u201d<\/p>\n<pre>sudo usbguard allow-device 10<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-864927\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/12-1.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Giving a USB device temporary access\" width=\"644\" height=\"75\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Our device is connected and appears in the dock and the file browser. If we ask USBGuard to list the blocked devices, none are listed.<\/p>\n<pre>sudo usbguard list-devices -b<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-864931\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/13-1.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"USBGUard finding no blocked devices\" width=\"644\" height=\"75\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>We can make the permission permanent by using the <code>-p<\/code> (permanent) option. This creates a rule for us and adds it to our policy.<\/p>\n<pre>sudo usbguard allow-device 10 -p<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-864933\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/14-1.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Giving a device permanent access by adding an allow rule to the policy\" width=\"644\" height=\"75\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>We can now use this USB device as normal.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Removing_a_USB_Devices_Access\"><\/span><a rel=\"nofollow noopener\" target=\"_blank\" name=\"autotoc_anchor_6\">Removing a USB Device\u2019s Access<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you change your mind about a USB device\u2014perhaps you\u2019ve lost a USB memory stick and want to remove its access\u2014you can do so with the <code>block-device<\/code> command.<\/p>\n<p>We need to know the device ID. We can find this by listing the allowed devices. Note that this number might not be the same as the one you used to add the rule to the list, so check before you issue the <code>block-device<\/code> command.<\/p>\n<pre>sudo usbguard list-devices -a<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-864936\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/15-1.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Obtaining a USB device's ID number using the list-devices command\" width=\"644\" height=\"355\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>In our case the ID is \u201c13.\u201d We\u2019ll use this with the block-device command, and the <code>-p<\/code> (permanent) option, to remove its access forever.<\/p>\n<pre>sudo usbguard block-device 13 -p<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-864937\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/16-1.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Permanently blocking a USB device's access using the block-device command\" width=\"644\" height=\"55\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Note that this immediately disconnects the device. Only use this command when you\u2019ve finished using any data on the device.<\/p>\n<hr\/>\n<p>USBGuard gives you an efficient and robust way to take control of, and manage, which USB devices can be used on your computer.<\/p>\n<p>It\u2019s your computer, so it\u2019s only fair you get to choose.<\/p>\n<p><strong>RELATED:<\/strong> <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/414634\/how-to-mount-and-unmount-storage-devices-from-the-linux-terminal\/\"><strong><em>How to Mount and Unmount Storage Devices from the Linux Terminal<\/em><\/strong><\/p>\n<\/div>\n<p><script>\n setTimeout(function(){\n  !function(f,b,e,v,n,t,s)\n  {if(f.fbq)return;n=f.fbq=function(){n.callMethod?\n  n.callMethod.apply(n,arguments):n.queue.push(arguments)};\n  if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';\n  n.queue=[];t=b.createElement(e);t.async=!0;\n  t.src=v;s=b.getElementsByTagName(e)[0];\n  s.parentNode.insertBefore(t,s) } (window, document,'script',\n  'https:\/\/connect.facebook.net\/en_US\/fbevents.js');\n   fbq('init', '335401813750447');\n   fbq('track', 'PageView');\n  },3000);\n<\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.howtogeek.com\/864896\/how-to-protect-your-linux-computer-from-rogue-usb-drives\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;How to Protect Your Linux Computer From Rogue USB Drives&#8221; Freer\/Shutterstock.com Install USBGuard to control and manage which thumb drives can be used on your Linux computer. Acting as a sort of firewall for USB devices, it lets you create a set of rules that allow, block, or reject specific drives. USB memory sticks can&#8230;<\/p>\n","protected":false},"author":1,"featured_media":541335,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2023\/01\/freer-shutterstock_697210159.png?height=200p&trim=2,2,2,2","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-541334","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/541334","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=541334"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/541334\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/541335"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=541334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=541334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=541334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}