Firewall-like software for udev usb devices?
O.MG Cable is here and the way technology is going, more of those devices will be available to the common user.
This kind of USB attack isn't new and there is plenty of devices out there ready to do some hardware or software damage to your computer (Rubber Ducky, BadUSB, USBKill...). But they are getting smarter and being disguised as devices of daily use like a cable.
Question: Is there a software that would block all udev triggers and ask for the user if he wants to allow a new usb device to be enabled, creating a device whitelist? A feature to execute an initial scan to register the devices that are already connected is much appreciated...
I'm thinking that if O.MG Cable is a HID device, it should be safe to not allow it to be mapped neither access system resources (it would show "HID Device" when plugged and the user could refuse it).
security usb udev hardware
asked Feb 20 at 20:57
nwildnernwildner
14.5k24179
add a comment |
O.MG Cable is here and the way technology is going, more of those devices will be available to the common user.
This kind of USB attack isn't new and there is plenty of devices out there ready to do some hardware or software damage to your computer (Rubber Ducky, BadUSB, USBKill...). But they are getting smarter and being disguised as devices of daily use like a cable.
Question: Is there a software that would block all udev triggers and ask for the user if he wants to allow a new usb device to be enabled, creating a device whitelist? A feature to execute an initial scan to register the devices that are already connected is much appreciated...
I'm thinking that if O.MG Cable is a HID device, it should be safe to not allow it to be mapped neither access system resources (it would show "HID Device" when plugged and the user could refuse it).
security usb udev hardware
asked Feb 20 at 20:57
nwildnernwildner
14.5k24179
add a comment |
O.MG Cable is here and the way technology is going, more of those devices will be available to the common user.
This kind of USB attack isn't new and there is plenty of devices out there ready to do some hardware or software damage to your computer (Rubber Ducky, BadUSB, USBKill...). But they are getting smarter and being disguised as devices of daily use like a cable.
Question: Is there a software that would block all udev triggers and ask for the user if he wants to allow a new usb device to be enabled, creating a device whitelist? A feature to execute an initial scan to register the devices that are already connected is much appreciated...
I'm thinking that if O.MG Cable is a HID device, it should be safe to not allow it to be mapped neither access system resources (it would show "HID Device" when plugged and the user could refuse it).
security usb udev hardware
asked Feb 20 at 20:57
nwildnernwildner
14.5k24179
O.MG Cable is here and the way technology is going, more of those devices will be available to the common user.
This kind of USB attack isn't new and there is plenty of devices out there ready to do some hardware or software damage to your computer (Rubber Ducky, BadUSB, USBKill...). But they are getting smarter and being disguised as devices of daily use like a cable.
Question: Is there a software that would block all udev triggers and ask for the user if he wants to allow a new usb device to be enabled, creating a device whitelist? A feature to execute an initial scan to register the devices that are already connected is much appreciated...
I'm thinking that if O.MG Cable is a HID device, it should be safe to not allow it to be mapped neither access system resources (it would show "HID Device" when plugged and the user could refuse it).
security usb udev hardware
security usb udev hardware
asked Feb 20 at 20:57
nwildnernwildner
14.5k24179
asked Feb 20 at 20:57
nwildnernwildner
14.5k24179
asked Feb 20 at 20:57
nwildnernwildner
14.5k24179
asked Feb 20 at 20:57
nwildnernwildner
14.5k24179
asked Feb 20 at 20:57
nwildnernwildner
14.5k24179
14.5k24179
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Take a look at usbguard. You can create policies based on manufacturer, or specific devices that are allowed or forbidden.
As an example, on Arch Linux you can install using:
pacman -S usbguard usbguard-qt
/etc/usbguard/usbguard-daemon.conf is the main config file. If you want to make usbguard work out of the box with the hardware you already have conected before the daemon starts:
- Edit the
PresentDevicePolicy=parameter and set it totrue. This will auto register the current USB hardware you have before the daemon starts. - Edit the
IPCAllowedUsers=orIPCAllowedGroups=so you can communicate with the daemon and list devices, create rules on-the-fly, etc based on your username or a group you are member of.
This will also avoid any loss of connection from your current mouse and keyboard.
Out of curiosity, Linux 5.1 will have an option to lockdown USB ports that are not internal to the motherboard until it reaches userspace, creating a new layer of protection before USBGuard starts.
edited Feb 25 at 12:41
nwildner
14.5k24179
answered Feb 20 at 21:26
Jakub JindraJakub Jindra
1879
1
Your answer is good, but i'll add some stuff to it :)
– nwildner
Feb 21 at 0:48
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f501956%2ffirewall-like-software-for-udev-usb-devices%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Take a look at usbguard. You can create policies based on manufacturer, or specific devices that are allowed or forbidden.
As an example, on Arch Linux you can install using:
pacman -S usbguard usbguard-qt
/etc/usbguard/usbguard-daemon.conf is the main config file. If you want to make usbguard work out of the box with the hardware you already have conected before the daemon starts:
- Edit the
PresentDevicePolicy=parameter and set it totrue. This will auto register the current USB hardware you have before the daemon starts. - Edit the
IPCAllowedUsers=orIPCAllowedGroups=so you can communicate with the daemon and list devices, create rules on-the-fly, etc based on your username or a group you are member of.
This will also avoid any loss of connection from your current mouse and keyboard.
Out of curiosity, Linux 5.1 will have an option to lockdown USB ports that are not internal to the motherboard until it reaches userspace, creating a new layer of protection before USBGuard starts.
edited Feb 25 at 12:41
nwildner
14.5k24179
answered Feb 20 at 21:26
Jakub JindraJakub Jindra
1879
1
Your answer is good, but i'll add some stuff to it :)
– nwildner
Feb 21 at 0:48
add a comment |
Take a look at usbguard. You can create policies based on manufacturer, or specific devices that are allowed or forbidden.
As an example, on Arch Linux you can install using:
pacman -S usbguard usbguard-qt
/etc/usbguard/usbguard-daemon.conf is the main config file. If you want to make usbguard work out of the box with the hardware you already have conected before the daemon starts:
- Edit the
PresentDevicePolicy=parameter and set it totrue. This will auto register the current USB hardware you have before the daemon starts. - Edit the
IPCAllowedUsers=orIPCAllowedGroups=so you can communicate with the daemon and list devices, create rules on-the-fly, etc based on your username or a group you are member of.
This will also avoid any loss of connection from your current mouse and keyboard.
Out of curiosity, Linux 5.1 will have an option to lockdown USB ports that are not internal to the motherboard until it reaches userspace, creating a new layer of protection before USBGuard starts.
edited Feb 25 at 12:41
nwildner
14.5k24179
answered Feb 20 at 21:26
Jakub JindraJakub Jindra
1879
1
Your answer is good, but i'll add some stuff to it :)
– nwildner
Feb 21 at 0:48
add a comment |
Take a look at usbguard. You can create policies based on manufacturer, or specific devices that are allowed or forbidden.
As an example, on Arch Linux you can install using:
pacman -S usbguard usbguard-qt
/etc/usbguard/usbguard-daemon.conf is the main config file. If you want to make usbguard work out of the box with the hardware you already have conected before the daemon starts:
- Edit the
PresentDevicePolicy=parameter and set it totrue. This will auto register the current USB hardware you have before the daemon starts. - Edit the
IPCAllowedUsers=orIPCAllowedGroups=so you can communicate with the daemon and list devices, create rules on-the-fly, etc based on your username or a group you are member of.
This will also avoid any loss of connection from your current mouse and keyboard.
Out of curiosity, Linux 5.1 will have an option to lockdown USB ports that are not internal to the motherboard until it reaches userspace, creating a new layer of protection before USBGuard starts.
edited Feb 25 at 12:41
nwildner
14.5k24179
answered Feb 20 at 21:26
Jakub JindraJakub Jindra
1879
Take a look at usbguard. You can create policies based on manufacturer, or specific devices that are allowed or forbidden.
As an example, on Arch Linux you can install using:
pacman -S usbguard usbguard-qt
/etc/usbguard/usbguard-daemon.conf is the main config file. If you want to make usbguard work out of the box with the hardware you already have conected before the daemon starts:
- Edit the
PresentDevicePolicy=parameter and set it totrue. This will auto register the current USB hardware you have before the daemon starts. - Edit the
IPCAllowedUsers=orIPCAllowedGroups=so you can communicate with the daemon and list devices, create rules on-the-fly, etc based on your username or a group you are member of.
This will also avoid any loss of connection from your current mouse and keyboard.
Out of curiosity, Linux 5.1 will have an option to lockdown USB ports that are not internal to the motherboard until it reaches userspace, creating a new layer of protection before USBGuard starts.
edited Feb 25 at 12:41
nwildner
14.5k24179
answered Feb 20 at 21:26
Jakub JindraJakub Jindra
1879
edited Feb 25 at 12:41
nwildner
14.5k24179
edited Feb 25 at 12:41
nwildner
14.5k24179
edited Feb 25 at 12:41
nwildner
14.5k24179
14.5k24179
answered Feb 20 at 21:26
Jakub JindraJakub Jindra
1879
answered Feb 20 at 21:26
Jakub JindraJakub Jindra
1879
answered Feb 20 at 21:26
Jakub JindraJakub Jindra
1879
1879
1
Your answer is good, but i'll add some stuff to it :)
– nwildner
Feb 21 at 0:48
add a comment |
1
Your answer is good, but i'll add some stuff to it :)
– nwildner
Feb 21 at 0:48
1
1
Your answer is good, but i'll add some stuff to it :)
– nwildner
Feb 21 at 0:48
Your answer is good, but i'll add some stuff to it :)
– nwildner
Feb 21 at 0:48
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f501956%2ffirewall-like-software-for-udev-usb-devices%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
