{"id":45858,"date":"2024-03-19T16:54:11","date_gmt":"2024-03-19T16:54:11","guid":{"rendered":"https:\/\/ubuntuhandbook.org\/?p=45858"},"modified":"2024-08-23T15:23:08","modified_gmt":"2024-08-23T15:23:08","slug":"disable-usb-ubuntu","status":"publish","type":"post","link":"https:\/\/ubuntuhandbook.org\/index.php\/2024\/03\/disable-usb-ubuntu\/","title":{"rendered":"Disable USB System or Certain Ports in Ubuntu 24.04 | 22.04"},"content":{"rendered":"<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/usb-icon.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-thumbnail wp-image-45859\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/usb-icon-250x250.webp\" alt=\"\" width=\"250\" height=\"250\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/usb-icon-250x250.webp 250w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/usb-icon-300x300.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/usb-icon-700x700.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/usb-icon-768x768.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/usb-icon.webp 1200w\" sizes=\"auto, (max-width: 250px) 100vw, 250px\" \/><\/a><\/p>\n<p>This tutorial shows how to disable USB, either the full sub-system or for certain USB ports, in Ubuntu 24.04 or Ubuntu 22.04.<\/p>\n<p>For server or production machines, disable USB can be useful for data privacy, virus protection, and other security reasons. For Ubuntu and most other Linux, here I&#8217;m going to show you how to disable USB via 3 ways:<\/p>\n<ul>\n<li><b>Disable whole USB sub-system<\/b><\/li>\n<li><b>Disable USB storage only<\/b> &#8211; Only disable access for USB flash drive and other storage devices.<\/li>\n<li><b>Disable specific USB port<\/b><\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h3>Option 1: Disable USB Sub-system in Ubuntu and other Linux<\/h3>\n<p>Linux Kernel has a parameter to disable the whole USB sub-system. When boot with the Kernel parameter, USB keyboard, mouse, flash drive, and built-in USB devices, such as webcam, fingerprint reader, bluetooth will be all disabled. And, USB ports have no power for charging.<\/p>\n<p>This is great for server security, but you have to use either remote login or PS2 keyboard and mouse to interact with the Linux machine. And, USB still works before booting the kernel in Grub menu entry. If you want to disable it on power button press, go configure it in BIOS settings.<\/p>\n<p><b>1.<\/b> First, either connect to your Ubuntu server, or press <code>Ctrl+Alt+T<\/code> on Ubuntu Desktop to open terminal. When it opens, run command to edit the config file for Grub boot-loader:<\/p>\n<pre>sudo nano \/etc\/default\/grub<\/pre>\n<p><i>For Desktop edition, you may replace <code>nano<\/code> with <code>gedit<\/code> for Ubuntu 22.04 and earlier with GNOME, <code>gnome-text-editor<\/code> for 24.04 with default GNOME, <code>pluma<\/code> for MATE, or <code>mousepad<\/code> for XFCE.<\/i><\/p>\n<p>When file opens, add <b>usbcore.nousb<\/b> to value of <b>GRUB_CMDLINE_LINUX_DEFAULT<\/b>. Then press <b>Ctrl+S<\/b> to save, and <b>Ctrl+X<\/b> to exit nano text editor.<\/p>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/grub-disable-usb.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-45864\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/grub-disable-usb-700x475.webp\" alt=\"\" width=\"610\" height=\"414\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/grub-disable-usb-700x475.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/grub-disable-usb-300x203.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/grub-disable-usb-768x521.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/grub-disable-usb.webp 786w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<p><b>2.<\/b> Next, run command to update grub configuration:<\/p>\n<pre>sudo update-grub<\/pre>\n<p><i>NOTE: This command may vary for other Linux. When done, restart your computer to apply!<\/i><\/p>\n<p>For Ubuntu Desktop with Grub-Customizer installed, user can also launch the graphical app, and add the kernel parameter by navigating to &#8220;General Settings&#8221; tab.<\/p>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/grub-customizer-nousb.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-45865\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/grub-customizer-nousb-700x498.webp\" alt=\"\" width=\"610\" height=\"434\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/grub-customizer-nousb-700x498.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/grub-customizer-nousb-300x214.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/grub-customizer-nousb-768x547.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/grub-customizer-nousb.webp 920w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<h3>Option 2: Disable USB Storage Device only<\/h3>\n<p>Besides blocking kernel module, user can choose to only disable USB flash drive and other USB storage devices, leave keyboard, mouse, and other built-in USB devices still working.<\/p>\n<p><b>1.<\/b> First, open terminal (Ctrl+Alt+T) or connect to server, and run command to create &amp; edit the config file:<\/p>\n<pre>sudo nano \/etc\/modprobe.d\/blacklist-usb-storage.conf<\/pre>\n<p><i>Also, you may replace <code>nano<\/code> to your favorite text editor.<\/i> When file opens, add following 2 lines:<\/p>\n<pre>blacklist usb_storage\r\nblacklist uas<\/pre>\n<p>Then press Ctrl+S to save, and Ctrl+X to exit nano text editor.<\/p>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/block-usb-storage.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-45866\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/block-usb-storage-700x475.webp\" alt=\"\" width=\"610\" height=\"414\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/block-usb-storage-700x475.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/block-usb-storage-300x203.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/block-usb-storage-768x521.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/block-usb-storage.webp 786w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<p><b>2.<\/b> After that, run command to update the initramfs.<\/p>\n<pre>sudo update-initramfs -u<\/pre>\n<p>Finally, reboot your machine. Your system will read the <code>blacklist-usb-storage.conf<\/code> config file on startup, and block loading the 2 kernel modules (<code>usb_storage<\/code> and <code>uas<\/code>) for accessing USB storage devices.<\/p>\n<h3>Option 3: Disable Specific USB Port<\/h3>\n<p>Under <code>\/sys\/bus\/usb\/devices<\/code> directory, there are a list of sub-folders that contain the files to configure USB ports and connected devices. By setting to always suspend or using usbguard service, user can &#8220;disable&#8221; the associated USB ports.<\/p>\n<h4>Step 1: Find out the sys device directory for your USB Port<\/h4>\n<p>The <code>\/sys\/bus\/usb\/devices<\/code> directory has quite a few sub-folders, you have to find out which one is for your USB port first.<\/p>\n<p><b>1.<\/b> First, plug in a USB device (keyboard, mouse, or flash drive) into the USB port, so it will automatically generate a corresponding sub-folder in that directory.<\/p>\n<p><b>2.<\/b> Then open terminal (Ctrl+Alt+T) and run command:<\/p>\n<pre>lsusb<\/pre>\n<p>In the output, you can identify your USB device according to the text description. In my case, I have only wireless keyboard (3151:3020) and mouse(1c4f:0034) connected.<\/p>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/lsusb-device-folder.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-47096\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/lsusb-device-folder-700x505.webp\" alt=\"\" width=\"610\" height=\"440\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/lsusb-device-folder-700x505.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/lsusb-device-folder-300x216.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/lsusb-device-folder.webp 706w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<p>According to the device&#8217;s product ID (the 4 numbers after colon), we can find out the device folder via command:<\/p>\n<pre>grep 3020 \/sys\/bus\/usb\/devices\/*\/idProduct<\/pre>\n<p>Re-run the last command with different product ID (replace 3020), then you&#8217;ll get all the &#8216;sys&#8217; directories for the USB devices. In my case (see last screenshot) they are:<\/p>\n<ul>\n<li><code>\/sys\/bus\/usb\/devices\/1-1\/<\/code> &#8211; the one connected with USB mouse.<\/li>\n<li><code>\/sys\/bus\/usb\/devices\/1-2\/<\/code> &#8211; which connected with wireless keyboard.<\/li>\n<\/ul>\n<h4>Step 2: (Optional) Auto-Suspend the USB device<\/h4>\n<p>In the last step 1, I&#8217;ve found out the corresponding sub-folders (1-1 and 1-2) for my 2 USB ports.<\/p>\n<p>For choice, you may set to auto-suspend the certain USB port, <b>1-1<\/b> for example, and set delay to 0 ms, so it will be always suspend.<\/p>\n<pre>echo 0 | sudo tee \/sys\/bus\/usb\/devices\/<b>1-1<\/b>\/power\/autosuspend_delay_ms<\/pre>\n<pre>echo \"auto\" | sudo tee \/sys\/bus\/usb\/devices\/<b>1-1<\/b>\/power\/control<\/pre>\n<p>However, the change <b>only works until you un-plug and re-plug device into the USB port<\/b>. Because, once unplug the USB device, the corresponding config folder (<i>1-1 in the case<\/i>) will be disappeared. When you plug-in again, that folder is created automatically again, but with all settings reset.<\/p>\n<p>Meaning this method only works when the USB device is keeping connected to the port. Unless, you managed to auto-run the 2 commands above on every plug-in.<\/p>\n<h4>Step 2: (Better Choice) Use USBGuard<\/h4>\n<p>Most Linux includes a usbguard package in system repository. It runs a systemd service in the background to implement basic USB whitelisting and blacklisting capabilities.<\/p>\n<p>1. First, open terminal and run command to install the package:<\/p>\n<pre>sudo apt install usbguard<\/pre>\n<p>2. Then, run command to edit the config file for this service:<\/p>\n<pre>sudo nano \/etc\/usbguard\/rules.conf<\/pre>\n<p><i>For GNOME, replace <code>nano<\/code> with <code>gedit<\/code> (22.04 and earlier), <code>gnome-text-editor<\/code> (24.04), <code>mousepad<\/code> for XFCE, <code>pluma<\/code> for MATE, &#8230;<\/i>.<\/p>\n<p>When file opens, it should contains some lines for default rules. <b>If EMPTY, close the file<\/b>. Wait a moment to let it auto-generate the rules, then re-edit it.<\/p>\n<p>3. <strong>Before editing the file, it&#8217;s better to make a copy of default content. So, you can easily restore the changes!<\/strong><\/p>\n<p>When the file opens, delete the line for your specific USB port\/device (identify by the ID, name, etc), finally add new rules, e.g., <b>block via-port &#8220;1-2&#8221;<\/b> to disable that USB port 1-2, and <b>block via-port &#8220;1-1&#8221;<\/b> to allow any connected to USB 1-1.<\/p>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/usbguard-conf.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-46777\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/usbguard-conf-700x580.webp\" alt=\"\" width=\"610\" height=\"505\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/usbguard-conf-700x580.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/usbguard-conf-300x248.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/usbguard-conf-768x636.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/03\/usbguard-conf.webp 1112w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<p>4. Finally, restart the service.<\/p>\n<pre>systemctl restart usbguard.service<\/pre>\n<p>And, the change will be applied a few moment later.<\/p>\n<p>To undo this change, use commands to stop the services, then uninstall usbguard:<\/p>\n<pre>sudo systemctl disable --now usbguard.service<\/pre>\n<pre>sudo systemctl stop usbguard-dbus.service<\/pre>\n<pre>sudo apt remove --purge usbguard<\/pre>\n<p>Finally, remove the config files under \/etc directory:<\/p>\n<pre>sudo rm -rf \/etc\/usbguard\/<\/pre>","protected":false},"excerpt":{"rendered":"<p>This tutorial shows how to disable USB, either the full sub-system or for certain USB ports, in Ubuntu 24.04 or Ubuntu 22.04. For server or production machines, disable USB can be useful for data privacy, virus protection, and other security reasons. For Ubuntu and most other Linux, here I&#8217;m going to show you how to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":45859,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[2039],"class_list":["post-45858","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","tag-security"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts\/45858","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/comments?post=45858"}],"version-history":[{"count":0,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts\/45858\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/media\/45859"}],"wp:attachment":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/media?parent=45858"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/categories?post=45858"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/tags?post=45858"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}