Why Even a Great Firewall Can’t Stop BadUSB?
Admins often focus all their efforts on Firewalls, IDS/IPS, or Web vulnerability scanning, but overlook a highly dangerous physical entry point: the USB port. BadUSB attacks (like the Rubber Ducky) are dangerous because they don’t contain malware in the traditional sense. Instead, the USB controller chip is flashed with firmware that mimics a Human Interface Device (HID), such as a keyboard. Once plugged in, it can “type” commands at 1000 words per minute to seize control or install a backdoor in the blink of an eye.
A classic example is the “dropped USB” scenario. An employee finds a mysterious USB drive and plugs it into a company computer to identify the owner, inadvertently compromising the system. With USBGuard, that USB would be disconnected immediately before it could execute any commands.
USBGuard operates on a Whitelist mechanism. It scans every connected device and matches it against rules you define. Any unknown device is rejected by the kernel before it can even get past the front gate.
Installing USBGuard: The First Lock on the Door
The good news is that USBGuard is available in the official repositories of most popular Linux distributions. Simply run the installation command for your OS.
Ubuntu/Debian Systems
sudo apt update && sudo apt install usbguardRHEL/CentOS/Fedora Systems
sudo dnf install usbguardArch Linux Systems
sudo pacman -S usbguardCrucial Warning: If you are physically sitting at the machine, do not start the service immediately. Without configuration, USBGuard will block all current USB keyboards and mice, effectively locking you out of your own system.
Building Your Defensive Wall (Policy)
To stay safe, we will create a rule set based on the devices currently plugged into your machine that you already trust.
1. Automatically Generate Initial Rules
The following command identifies active devices and adds them to the allowed list:
sudo usbguard generate-policy > rules.conf
sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.confNote the use of 0600 permissions to ensure only the root user can view or edit this list. Carefully review the configuration file’s content:
sudo nano /etc/usbguard/rules.confYou will see lines like: allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller". If you see any “strangers,” feel free to delete them.
2. Activate the Security Layer
Once you have a solid rules file, go ahead and start the daemon:
sudo systemctl start usbguard
sudo systemctl enable usbguard3. Flexible Device Management
When you plug in a new USB, USBGuard will block it by default. Check the list of “blocked” devices with the command:
usbguard list-devicesTo temporarily allow a device (e.g., ID number 5) to operate, use:
usbguard allow-device 5To allow this device permanently for future use, add the -p (permanent) flag:
usbguard allow-device 5 -pA practical tip for server administration: never use weak passwords. I often combine USBGuard with passwords generated from toolcraft.app/en/tools/security/password-generator. This tool runs 100% in the browser, enhancing security without the risk of exposing information over the network.
Monitoring and Troubleshooting
How do you know USBGuard is actually working? Monitor the system logs in real-time.
Live Event Monitoring
usbguard watchEvery time a device is plugged in or removed, the screen will display the Vendor ID and the system’s action (allow/block/reject) in detail.
What to do if You Accidentally Lock Your Keyboard
Don’t panic if a misconfiguration locks you out of your keyboard. You have three lifelines:
- SSH in from another machine to fix the
rules.conffile. - Use a PS/2 port if your older hardware supports it.
- Boot into Recovery Mode to disable the
usbguardservice.
Advanced Configuration for Sensitive Environments
For workstations in public areas, you should set a more aggressive default policy in /etc/usbguard/usbguard-daemon.conf:
ImplicitPolicyTarget=blockThe block value keeps the device in a pending state for manual approval. If changed to reject, the device is completely disconnected at the hardware level; the OS won’t even recognize its existence.
Deploying USBGuard takes only about 10 minutes, but the security benefits are invaluable. It serves as the final line of defense, making your system immune to today’s common physical attack techniques.
