Thursday, July 18, 2024
HomeHow toHow to Disable USB System or Certain Ports in Ubuntu 22.04

How to Disable USB System or Certain Ports in Ubuntu 22.04

This tutorial shows how to disable USB, either the full sub-system or for certain USB ports, in Ubuntu.

For server or production machines, disable USB can be useful for data privacy, virus protection, and other security reasons. For Ubuntu and most other Linux, here I’m going to show you how to disable USB via 3 ways:

  • Disable whole USB sub-system
  • Disable USB storage only – Only disable access for USB flash drive and other storage devices.
  • Disable specific USB port

Option 1: Disable USB Sub-system in Ubuntu and other Linux

Linux Kernel has a parameter to disable the whole USB sub-system. When boot with the Kernel parameter, USB keyboard, mouse, flash drive, and built-in USB devices, such as webcam, fingerprint reader, bluetooth will be all disabled. And, USB ports have no power for charging.

This is great for server security, but you have to use either remote login or PS2 keyboard and mouse to interact with the Linux machine. And, USB still works before booting the kernel in Grub menu entry. If you want to disable it on power button press, go configure it in BIOS settings.

1. First, either connect to your Ubuntu server, or press Ctrl+Alt+T on Ubuntu Desktop to open terminal. When it opens, run command to edit the config file for Grub boot-loader:

sudo nano /etc/default/grub

For Desktop edition, you may replace nano with gedit for Ubuntu 22.04 and earlier with GNOME, gnome-text-editor for 23.10 + with GNOME, pluma for MATE, or mousepad for XFCE.

When file opens, add usbcore.nousb to value of GRUB_CMDLINE_LINUX_DEFAULT. Then press Ctrl+S to save, and Ctrl+X to exit nano text editor.

2. Next, run command to update grub configuration:

sudo update-grub

NOTE: This command may vary for other Linux. When done, restart your computer to apply!

For Ubuntu Desktop with Grub-Customizer installed, user can also launch the graphical app, and add the kernel parameter by navigating to “General Settings” tab.

Option 2: Disable USB Storage Device only

By blocking kernel module, user can choose to only disable USB flash drive and other USB storage devices, leave keyboard, mouse, and other built-in USB devices still working.

1. First, open terminal (Ctrl+Alt+T) or connect to server, and run command to create & edit the config file:

sudo nano /etc/modprobe.d/blacklist-usb-storage.conf

Also, you may replace nano to your favorite text editor. When file opens, add following 2 lines:

blacklist usb_storage
blacklist uas

Then press Ctrl+S to save, and Ctrl+X to exit nano text editor.

2. After that, run command to update the initramfs.

sudo update-initramfs -u

Finally, reboot your machine. Your system will read the blacklist-usb-storage.conf config file on startup, and block loading the 2 kernel modules (usb_storage and uas) for accessing USB storage devices.

Option 3: Disable Specific USB Port

Under /sys/bus/usb/devices directory, there are a list of sub-folders that contain the files to configure USB ports and connected devices. By setting to always suspend or using usbguard service, user can “disable” the corresponding USB ports.

Step 1: Find out the sys device folder for your specified USB Port

The /sys/bus/usb/devices directory has quite a few sub-folders, you have to find out which one is for your USB port first.

1. First, plug in a USB device (keyboard, mouse, or flash drive) into the USB port, so it will automatically generate a corresponding sub-folder in that directory.

2. Then open terminal (Ctrl+Alt+T) and run command to list all USB devices:

lsusb

And, run the single command below to list the sub-folders as well as their handled IDs.

cd /sys/bus/usb/devices && for d in *; do if [ -f $d/idProduct ]; then prod=$( cat $d/idProduct ); vend=$( cat $d/idVendor ); echo Device: "${d}", ID: "${vend}:${prod}"; fi; done

In the lsusb command output,  you can find out the ID of your connected USB devices. With the 2nd command output, you can use the ID to find out the device folder names (e.g., 1-1, 1-2, usb1, usb2, …).

In my case (see screenshot below), I have only 2 USB ports in my laptop. The “1-1” sub-folder is for 1c4f:0034, the USB port connected with mouse. And, “1-2” sub-folder is for 3151:3020, the USB port connected with wireless keyboard.

Step 2: (Optional) Auto-Suspend the USB device

In the last step 1, I’ve found out the corresponding sub-folders (1-1 and 1-2) for my 2 USB ports.

For choice, you may set to auto-suspend the certain USB port, 1-1 for example, and set delay to 0 ms, so it will be always suspend.

echo 0 | sudo tee /sys/bus/usb/devices/1-1/power/autosuspend_delay_ms
echo "auto" | sudo tee /sys/bus/usb/devices/1-1/power/control

However, the change only works until you un-plug and re-plug device into the USB port. Because, once unplug the USB device, the corresponding config folder (1-1 in the case) will be disappeared. When you plug-in again, that folder is created automatically again, but with all settings reset.

Meaning this method only works when the USB device is keeping connected to the port. Unless, you managed to auto-run the 2 commands above on every plug-in.

Step 2: (Better Choice) Use USBGuard

Most Linux includes a usbguard package in system repository. It runs a systemd service in the background to implement basic USB whitelisting and blacklisting capabilities.

1. First, open terminal and run command to install the package:

sudo apt install usbguard

2. Then, run command to edit the config file for this service:

sudo nano /etc/usbguard/rules.conf

For GNOME, replace nano with gedit (22.04 and earlier), gnome-text-editor (23.10 and later), mousepad for XFCE, pluma for MATE, ….

When file opens, it should contains some lines for default rules. If EMPTY, close the file. Wait a moment to let it auto-generate the rules, then re-edit it.

3. Before editing the file, it’s better to make a copy of default content. So, you can easily restore the changes!

When the file opens, delete the line for your specific USB port/device (identify by the ID, name, etc), finally add new line block via-port “1-1” (change ‘1-1’ accordingly) to disable that USB port.

4. Finally, restart the service.

systemctl restart usbguard.service

And, the change will be applied a few moment later.

To undo this change, use commands to stop the service, then uninstall usbguard:

systemctl stop usbguard.service
sudo apt remove usbguard



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here


Most Popular