Hardening the Linux USB subsystem
The USBGuard software framework helps to protect your computer against rogue USB devices (a.k.a. BadUSB) by implementing basic whitelisting and blacklisting capabilities based on device attributes. source
Basically, USBGuard prevents all unauthorized USB devices from connecting to your machine.
Start by installing it, if you’re running Ubuntu, Debian or other Debian-based distros:
$ sudo apt install usbguard
Or, if you’re running Fedora:
$ sudo dnf install usbguard
Make sure all USB devices that you want to be allowed by default to connect to your system are plugged in (don’t worry about the built-in USB devices, like your laptop webcam or Bluetooth module, they get whitelisted automatically), and generate the default policy:
$ sudo sh -c "usbguard generate-policy > /etc/usbguard/rules.conf"
Note
sudo usbguard generate-policy > /etc/usbguard/rules.conf command won’t work (you will get a Permission denied error) simply because of the way redirection (>, >>, also piping with |) works in Linux: it’s done by the current shell and always performed as the current user regardless of the sudo part.usbguard service on startup:$ sudo systemctl start usbguard
$ sudo systemctl enable usbguard
Or, if your Linux distro uses System-V style init scripts (whoop whoop Devuan), use update-rc.d:
$ sudo update-rc.d usbguard defaults
Whenever you want to allow a new device, plug it into an USB port and use:
$ sudo usbguard list-devices
8: allow id ...
9: allow id ...
14: block id ...
to find the device rule number. Now you can allow this specific device to connect to your system temporarily:
$ sudo usbguard allow-device 14
Or if you want to allow it permanently:
$ sudo usbguard allow-device 14 -p
Done.