Filter USB devices with udev (and some PHP code)

Dec 23, 2022 by Thibault Debatty | 3474 views

Sysadmin PHP

https://cylab.be/blog/250/filter-usb-devices-with-udev-and-some-php-code

USB devices can be a liability : they can be used to exfiltrate data from a computer or server, to plug a hardware keylogger, or to plant a malware. Hence on a managed computer, USB devices should be filtered and whitelisted. In this blog post we show how this can be achieved thanks to udev, and some PHP code.

Udev is the Linux kernel component responsible for managing devices plugged on the system. When a device is plugged, udev basically perform 2 things: 1/ it creates appropriate entry in /dev and 2/ it executes user defined actions. For example, udev is used to trigger printer configuration when a printer is plugged on a USB port.

Ude rule

Custom udev rules are located in /etc/udev/rules.d/. So we can create a file called /etc/udev/rules.de/01-usb-filter.rule with the following content:

#
# USB devices filtering
# https://cylab.be/blog/250/filter-usb-devices-with-udev-and-some-php-code
#

ACTION=="add", SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", RUN+="/bin/sh -c '/opt/udev-filter-usb /sys$DEVPATH'"

This rule instructs udev to execute the script /opt/udev-filter-usb when a USB device is plugged (ACTION=="add").

Filtering script

Now we can create the filtering script /opt/udev-filter-usb with the following content:

#! /usr/bin/php
<?php
#
# USB devices filtering
# https://cylab.be/blog/250/filter-usb-devices-with-udev-and-some-php-code
#

$allowed_patterns = [
    # internal kernel USB hub
    '/Linux_.*-generic_xhci-hcd_xHCI_Host_Controller/',
    # USB optical mouse
    '/.*USB_Optical_Mouse/',
    # integrated webcam (in a laptop)
    '/.*Integrated_Webcam.*/',
];

$devpath = $argv[1];
$serial = getenv("ID_SERIAL");
$rule = "DENY";

foreach ($allowed_patterns as $pattern) {
    if (preg_match($pattern, $serial)) {
        $rule = "ALLOW";
        break;
    }
}

file_put_contents(
    "/var/log/udev-filter-usb",
    date("Y-m-d H:i:s") . " : $rule : $devpath : $serial\n",
    FILE_APPEND);

if ($rule != "ALLOW") {
    # uncomment next line to actually block devices
    # make sure you have whitelisted your USB keyboard if you use one!
    # exec("echo 0 > $devpath/authorized");
}

As you can see, this script uses regular expressions to allow (whitelist) only some devices. Don’t forget to make the script executable:

sudo chmod +x /opt/udev-filter-usb

Testing

To test, simply plug in a USB device, and check the logs in /var/log/udev-filter-usb:

udev-filter-usb.png

Warning: make sure you reboot at least once, and have your keyboard whitelisted, otherwise you may end up with a unusable box!

Blocking unauthorized devices

Once you have whitelisted your devices, you can uncomment the last line (exec("echo 0 > ...). This line writes a 0 in /sys/devices/.../authorized to effectively block unauthorized devices…

This blog post is licensed under CC BY-SA 4.0

Configure a Wireguard VPN on OPNSense

Sysadmin VPN

Feb 21, 2026 | 520 views
SSHing old devices : config snippet

Sysadmin

SSH was created in 1995 by Tatu Ylönen, a researcher at the Helsinki University of Technology in Finland [1]. Over more than 30 years of existence, it has evolved to offer more security. But once in a while you may have to SSH into an older device that does not support modern SSH algorithms and mechanisms. This is typically the case to configure network devices like switches.
Feb 18, 2026 | 320 views
How to Reset a Forgotten Root Password on Linux Distros

Linux Sysadmin

Jan 21, 2026 | 1416 views
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept