usbguard icon indicating copy to clipboard operation
usbguard copied to clipboard

Published 20 hours ago verified publisher icon USBGuard

An Idea: Timeout for blocking of devices

Open D-signr opened this issue 5 years ago • 3 comments

Using this software sounded a bit complicated to me and i tried to figure out how could it have a simple and streamlined basic functions offering a good security level once enabled. I came up with this (sorry if you already have this implemented, but i did not find a notion about it from your web page after some searching):

  1. An authorized user can prompt the USBGuard to read serial numbers from the currently physically connected usb devices and then it asks user to allow them (y/n) and if the timeout rule is used or not (y/n) for each of them.
  2. An authorized user can define a connection timeout for allowed usb devices. Ports open automatically when correct sudo password is entered to the terminal, or alternatively after that when prompted (an option) and then close when the timeout value is reached.

Any thoughts? If it is already there and similarly simplified for an average user, then never mind this post. Or then it might be good to tell it clearly in the beginning of the instructions page.

D-signr avatar Nov 05 '19 11:11 D-signr

Hi,

  1. https://github.com/Cropi/usbguard-notifier

  2. timeout is good idea, we will consider it.

marektamaskovic avatar Nov 05 '19 14:11 marektamaskovic

can you please change the title to something more meaningful? Like "timeout for blocking of devices" or so.

muelli avatar Jan 10 '20 14:01 muelli

Seems pretty reasonable to do something like this:

  1. First connection of a device is "instant."
  2. After a device is connected, all device connections are ignored for a timeout. This can even be incredibly short to have a great effect, like 200ms, and prevent any kind of brute force attack. Another option is to do something like what pam does, and put a big timeout after three tries (I don't like this option as much, it is too jarring).

This should be a default feature, in my opinion, and you should be able to raise the timeout (which you might want to do especially if you think you are vulnerable to a brute force attack for some reason). 99.9% of users wouldn't notice any change in their system with this edit.

I don't know how common it is for a device to have a really small brute force space to attack, but if it is at all common then this would be a meaningful addition to their security.

Do manufacturers sometimes have very small numbers of device data (like say, 100000)?

equwal avatar Jan 12 '21 18:01 equwal