Skip to content

SolverNA/usb-auth-guard

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

24 Commits
debian
debian
Β 
Β 
src
src
Β 
Β 
.gitignore
.gitignore
Β 
Β 
Makefile
Makefile
Β 
Β 
README.md
README.md
Β 
Β 
install.sh
install.sh
Β 
Β 
uninstall.sh
uninstall.sh
Β 
Β 

Repository files navigation

usb-auth-guard

Blocks all USB devices by default and shows a native polkit password dialog before allowing any new device.

Protects against:

  • BadUSB / Rubber Ducky / O.MG Cable β€” HID injection blocked until auth
  • USB data exfiltration β€” drives require password
  • Physical access attacks β€” VID:PID spoofing doesn't help
Insert USB β†’ USBGuard blocks it
                ↓
      usb-auth-guard detects event
                ↓
      Password dialog appears
                ↓
  Correct password β†’ device works
  Cancel / wrong   β†’ device stays blocked

Install (Debian / Ubuntu / Kali)

curl -fsSL https://raw.githubusercontent.com/SolverNA/usb-auth-guard/master/install.sh | sudo bash

Then either:

  • Log out and log back in (recommended), or
  • Run: systemctl --user start usb-auth-guard

The service needs to start inside your graphical session for the dialog to appear.

Uninstall

curl -fsSL https://raw.githubusercontent.com/SolverNA/usb-auth-guard/master/uninstall.sh | sudo bash

Troubleshooting

No password prompt appears

# Check service status
systemctl --user status usb-auth-guard
journalctl --user -u usb-auth-guard -f

# Check usbguard-dbus
sudo systemctl status usbguard-dbus

Keyboard/mouse blocked after install

# Temporarily allow all devices
sudo sed -i 's/InsertedDevicePolicy=.*/InsertedDevicePolicy=apply-policy/' /etc/usbguard/usbguard-daemon.conf
sudo systemctl restart usbguard

# Reconnect devices, regenerate rules
sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf

# Re-enable blocking
sudo sed -i 's/InsertedDevicePolicy=.*/InsertedDevicePolicy=block/' /etc/usbguard/usbguard-daemon.conf
sudo systemctl restart usbguard

View logs

journalctl --user -u usb-auth-guard -f   # user service
sudo journalctl -u usbguard -f           # usbguard

Alternative install methods

From source (git clone)

git clone https://github.com/SolverNA/usb-auth-guard
cd usb-auth-guard
sudo make install
systemctl --user enable --now usb-auth-guard

Build .deb package

git clone https://github.com/SolverNA/usb-auth-guard
cd usb-auth-guard
make deb
sudo apt install ./usb-auth-guard_1.0.0.deb
systemctl --user enable --now usb-auth-guard

How it works

Component Role
USBGuard Blocks devices at kernel level
usbguard-dbus Exposes events on D-Bus
usb-auth-guard Python daemon listening for events
polkit + pkexec Native password dialog
helper Root helper for usbguard allow-device

Authorization is per-session only β€” same device requires re-auth next time.

Requirements

  • Debian/Ubuntu/Kali or compatible
  • systemd
  • Python 3 + dbus + gi
  • polkit

License

MIT

About

πŸ”’ Block all USB devices by default β€” require password auth via polkit before any device is allowed. Protects against BadUSB, Rubber Ducky & HID injection attacks.

Topics

python debian kde rubber-ducky systemd dbus hardening pentest kali-linux badusb security-tools linux-security polkit physical-security usbguard endpoint-security hid-attack usb-security

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages