Kernel hardening: Disable and blacklist Linux modules

Disable and black Linux kernel modules

The Linux kernel is modular, which makes it more flexible than monolithic kernels. New functionality can be easily added to a run kernel, by loading the related module. While that is great, it can also be misused. You can think of loading malicious modules (e.g. rootkits), or unauthorized access to the server and copy data via a USB port. In our previous article about kernel modules, we looked at how to prevent loading any module. In this case, we specifically disallow the ones we don’t want.

Blacklisting modules

Blacklisting modules is one way to disallow them. This defines which modules should no longer be loaded. However, it will only limit the loading of modules during the boot process. You can still load a module manually after booting.

Blacklisting a module is simple. Create a file in the /etc/modprobe.d directory and give it a proper name (e.g. blacklist-module.conf).

Blacklisting firewire

Let’s say we want to blacklist firewire. We first have to determine what modules are available. By using find, we can quickly determine the related kernel drivers:

[root@arch kernel]# find /lib/modules/`uname -r` -name *firewire*

Now we know there are multiple modules, most part of the drivers and one in the sound section. If we want to disable all these modules, we could simply blacklist them all. Or block the generic category.

Gathering module information

By using modinfo, we can gather the details about a particular module. In this case, we have a look at the snd-firewire-lib module and see what it does:

Screenshot of modinfo which shows a dependency

modinfo shows on which a module depends

We can see it depends on firewire-core. Let’s have a look at the firewire-core module itself:

Screenshot of modinfo of firewire core module

Details of firewire core module

The details of the firewire-core module show that is responsible for firewire itself. It is the core unit itself and doing the transaction logic within the IEEE1394 protocol specifications. We can see it is depending on the CRC-ITU-T standard.

By blacklisting the firewire-core, we effectively disable any module depending on it. In this case, we don’t blacklist the crc-itu-t module, to prevent other modules from properly functioning.

The related snippet to blacklist would be:


blacklist firewire-core

See blacklisted modules

To see what modules are currently blacklisted, we can use the modprobe command:

[root@arch kernel]# modprobe --showconfig | grep blacklist
blacklist firewire_core

This will show all modules which are blacklisted.

Disable modules

The next level of blacklisting modules is to actually disable them. This way they won’t be loaded unintentionally.

To disable a module, we have to redirect a module via the install option. Modprobe will try to load the related file. By defining a module as /bin/true or /bin/false, it won’t be loaded.

Screenshot of modprobe failing

Using the install option we can avoid loading modules

Tip: Using /bin/false as install target is better, as it clearly shows in the configuration that something is not allowed.

To see what modules are currently disabled via install, we can use modprobe as well:

[root@arch kernel]# modprobe --showconfig | grep "^install" | grep "/bin"
install firewire_core /bin/false
install firewire_ohci /bin/false

Note: the root user can still override settings, by using the –ignore-install parameter. In that case, the module can still be loaded.

Besides the install routine, there is also an alias option. This might be used to redirect a module to /dev/null for example.


By using the right combination of blacklist, install and alias, we can disallow loading of Linux kernel modules. They form the first level of defense against unintentional and unauthorized module loading. By using the kernel setting kernel.modules_disabled and set its value to 1, we can make sure things are really tightened. Even the root user can not load any modules anymore.

Useful commands

When working with kernel modules, here are some of the most common commands:

  • Blacklisted and disabled modules
    • modprobe –showconfig | egrep “^(blacklist|install)”
  • Find modules
    • find /lib/modules/`uname -r` -print
  • Show loaded modules
    • lsmod
  • Load module
    • modprobe module
  • Unload module
    • modprobe -r module
  • Module details
    • modinfo module

Questions or other tips? Share it in the comments.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.



Leave a Reply

Your email address will not be published. Required fields are marked *