Μηνιαία αρχεία: Απρίλιος 2018


Fedora GNU/Linux : Disable USB Storage Devices

There is this machine that runs Fedora GNU/Linux, for which its owners asked us to block all USB Storage Devices without affecting other peripheral devices like keyboards and mice. The reason for that was to prevent unlawful data leakage that the users of that machine could do.

On Linux there is a kernel module named usb_storage that can be found at /lib/modules/$KERNEL_VERSION/kernel/drivers/usb/storage/usb-storage.ko.xz (to get the kernel version, execute uname -r;) which operates as the USB Mass Storage driver for Linux.

Apparently, we just needed to block the usb_storage module.  Initially, we tried to block the module by using the /etc/modprobe.d/blacklist.conf file but with no success. We failed to blacklist the module using the following commands (we were not sure which of the two names are correct, so we tried both, one at a time. It appears that both can be correct..):
echo -e "usb_storage\n" | sudo tee -a /etc/modprobe.d/blacklist.conf;
echo -e "usb-storage\n" | sudo tee -a /etc/modprobe.d/blacklist.conf;

After creating/updating the blacklist.conf file we restarted the machine as the module does not get loaded on boot automatically, it only gets loaded when needed. Unfortunately, as we mentioned before, these attempts led to no solution as we were still able to use USB storage devices even after creating the blacklist.conf file.
Since this method failed, we had to turn our heads towards a different solution, that due to its nature, it can be considered a hack.

Solution

What we did was to create a new configuration file in /etc/modprobe.d/ that would prevent usb_storage from being loaded by redirecting any requests to load the specific module to the /bin/true application.

echo "install usb_storage /bin/true" >> /etc/modprobe.d/disable-usb-storage.conf;
# Or the following (both names usb_storage and usb-storage seem to work)
# echo "install usb-storage /bin/true" >> /etc/modprobe.d/disable-usb-storage.conf;

Then, we had to make sure that the module was not already loaded. To see if the usb_storage module was already loaded we executed:

lsmod | grep -i usb_storage;

When lsmod | grep -i usb_storage; did not return any results, then it meant we were done! Since it was not in the list, it meant that the module was not loaded and so the next time someone tried to use a USB mass storage device they would not be able to load the module.

In cases were we got a line back (and thus the module was already loaded), then we needed to unload it manually or restart the machine. To avoid rebooting the machine we used modprobe to unload the usb_storage module.

modprobe -r usb_storage;

Some times, we would get the following error: modprobe: FATAL: Module usb_storage is in use.. This error meant that some other kernel module was using usb_storage and would not allow us to unload it. Using lsmod | grep -i usb_storage; we would get back a line like the following: usb_storage 73728 1 uas. The last column is a comma separated list of kernel modules that use usb_storage and we would need to unload them as well (replacing commas with space characters). Since we had only one dependency, our command became like the one below:

modprobe -r uas usb_storage;

And we were done!

To Re-enable USB mass storage devices (revert)

That is the easy part, to re-enable access to the USB mass storage devices, all we had to do was delete the configuration file:

rm /etc/modprobe.d/disable-usb-storage.conf;

Of course, to block them again, the we would have to follow the steps in the above solution.

Advertisements

Fedora GNU/Linux: Disable/Stop or Enable/Start Bluetooth service

There was this Fedora box for which we were asked to disable most of the methods it had available for communicating with the outside world.
One of the features of the box that we decided to block was its Bluetooth device.
To make our life easy, and since the users would not have admin rights, we decided to simply stop and disable the Bluetooth service on the box and be over with it!

The way we stopped and disabled the Bluetooth service was with the following two devices.

#Stop Bluetooth service that is currently executing
systemctl stop bluetooth;
#Prevent Bluetooth service from starting after a reboot
systemctl disable bluetooth;

Once you disable the service and stop it, you will notice that on the GUI of the Gnome settings application it still shows the basic menu for the Bluetooth device.
That should not worry you though because if you enter the Bluetooth configuration tab you will notice that the user will not be able to turn the device on and make use of it.

Revert changes and re-enable / re-start the Bluetooth service:

In order to restore the Bluetooth service back to normal (to enable it and start it), just execute the following two commands:

#Start the Bluetooth service right now
systemctl start bluetooth;
#Make sure that Bluetooth service will start after each system restart
systemctl enable bluetooth;


Anonabox Pro – Disable Wi-Fi

The following video demonstrates how to disable the Wi-Fi on an  Anonabox Pro.

  1. Connect to the device via the LAN Ethernet port.
    It has a build DHCP server by default so you do not need to configure the IP.
    After you get connected, go to the default location of the device interface, which is http://192.168.19.84:1776/.
  2. After the interface loads, enter the root password and click on the Login button.
    (if you are using a brand new Anonabox or a box that was recently flashed then click on the Login button without entering a password (if you enter one, it will be ignored)).
  3. Then, go to the top menu Network and select the option Wireless
  4. At the new page, under the category Wireless Overview click on the Disable button.
  5. Finally, click on the OK button when you get the Really shut down network? confirmation box and wait for the changes to get applied, the image with the Wi-Fi logo will change to one that has a red stamp on it and right under the SSID field you will get the message Wireless is disabled or not associated.

To enable the WiFi, just repeat the steps above and click on the Enable button.


GNU/Linux Fedora 27: Prevent Network Manager from restarting after reboot 1

Recently we were working on a Fedora 27 GNU/Linux box where we needed to completely disable the Network Manager.
Initially, we just stopped the NetworkManager service and then disabled it thinking that it would be enough.
To our surprise after we rebooted the box, we noticed that the Network Manager was active again!

After some research we found out that another service called NetworkManager-wait-online was starting the NetworkManager as some sort of recovery mechanism.
So, in order to permanently block NetworkManager from starting on boot, we disabled NetworkManager-wait-online as well.

In the end our solution to disable the NetworkManager service came down to executing the following commands as root (or using sudo):

systemctl stop NetworkManager;
systemctl stop NetworkManager-wait-online;

systemctl disable NetworkManager;
systemctl disable NetworkManager-wait-online;


Anonabox Pro – Set Root Password On Initial Setup

The following video demonstrates how to setup the root password for a new (or recently flashed) Anonabox Pro.

  1. Connect to the device via the LAN Ethernet port.
    It has a DHCP server by default so you do not need to configure the IP.
    After you get connected, go to the default location of the device interface, which is http://192.168.19.84:1776/.
  2. After the interface loads, click on the Login button without entering a password (if you enter one, it will be ignored).
  3. Then go to the top menu System and select the option Administration
  4. At the new page, under the category Router Password enter the password you wish to use both at the Password and Confirmation fields.
  5. Finally, click on the Save & Apply button and wait for the changes to get applied, a confirmation message will appear at the top of the page under the top menu.