Using linux? Have USB ports? Don't want to get hit with one of the many evil USB devices out there (poisiontap, usbdriveby, ducky, badusb and network_attacks). Yet you don't want to fill your USB ports with epoxy? Then use this udev_paranoia to block all new USB devices with a UDEV rule and allow them temporarily, only as you need them.
$ /opt/udev_paranoia -h
Usage:
/opt/udev_paranoia [PERMS] [OPTIONS]
FLAGS:
-b: block EVERYTHING (no wait)
-a: allow all EVERYTHING
-d: block dangerious (same as -n and -n)
-i: block only usbhid devices (DRIVER==usbhid)
-n: block only usb_interface (DEVTYPE=usb_interface)
Options:
-h: help menu
-t: temp permission change wait time (0 for permanent))
-r: read current permissionsBy default udev_paranoia wants to block all USB devices. When you want to plug somethething in run it with -a or -i to temporarily allow USB devices. Adding a -t0 will perminently allow those devices. Use -r to check what the current status.
The rule is saved in the /tmp directory. So it will disappear upon reboot. This means the rule will not affect the booting process. It also means you need to remember (or script) the initialization of the rules.
Run the following:
$ make
$ sudo make install $ sudo make uninstallA new udev rule is add. The rule can be found in the 11-udev_paranoia.rules file. This rule checks to see if udev_paranoia is in use via the existence of the permissions file (/tmp/udev_paranoia_protection). If the file exists then the rule consults the udev_paranoia_master program before allowing a new device.
udev_paranoia is developed by Dennis Goodlett (dennis@hurricanelabs.com) and can be found here: http://github.com/swoops/udev_paranoia This software is released under the GNU Public General License v3 and is provided "as is" without warranty of any kind, neither express nor implied.