Skip to content

Modprobe

MODPROBE

modprobe is a Linux program that provides for loading a loadable kernel module into a Linux kernel, unloading a loaded module and many other related features. It provides an ability to make decisions about which modules to load, awareness of module dependencies, so that when requested to load a module, it adds other required modules first and resolution of recursive module dependencies.

It is commonly used indirectly. For example, udev relies upon modprobe to load drivers for automatically detected hardware.

Operation

When invoked with no switches, the program adds/inserts/installs the module specified by name. Arguments after the module name are passed to the kernel. Configuration file options are also passed.

In some versions of modprobe, the configuration file is called modprobe.conf, and in others, the equivalent is the collection of files called in the /etc/modprobe.d directory.

modprobe looks only in the standard module directories. To install modules from the working directory insmod is required. Alternatively, a symbolic link file can be used so that depmod can find it.

Root privileges are typically required to perform the actions that modprobe attempts.

Blacklist

There are cases where two or more modules both support the same devices, or a module invalidly claims to support a device: the blacklist keyword indicates that all of a particular module's internal aliases are to be ignored.

There are a couple of ways to blacklist a module, and depending on the method used to load it depends on where this is configured.

There are two ways to blacklist a module using modprobe, employing the modprobe.conf system, the first is to use its blacklisting system in /etc/modprobe.d/. Any filename ending with .conf can be used:

cat /etc/modprobe.d/blacklist.conf
blacklist ieee1394
blacklist ohci1394
blacklist eth1394
blacklist sbp2

An install primitive is the highest priority in the config file and will be used instead of the blacklisting method above, requiring this second method:

cat /etc/modprobe.d/ieee1394.conf
install ieee1394 /bin/true
install ohci1394 /bin/true
install eth1394 /bin/true
install sbp2 /bin/true

Alternately, you can modify /etc/modprobe.conf:

alias sub_module /dev/null 
alias module_main /dev/null 
options module_main needed_option=0

Existing Configurations for PVE

Hetzner Install Image /etc/modprobe.d/hetzner.conf 

### Hetzner Online GmbH - installimage
options drm edid_firmware=edid/1280x1024.bin

Hetzner Install Image Blacklist /etc/modprobe.d/blacklist-hetzner.conf 

### Hetzner Online GmbH - installimage
### unwanted kernel modules
blacklist pcspkr
blacklist snd_pcsp
### buggy kernel modules
blacklist mei
blacklist mei-me
blacklist sm750fb

Proxmox Blacklist /etc/modprobe.d/pve-blacklist.conf 

# This file contains a list of modules which are not supported by Proxmox VE 

# nvidiafb see bugreport https://bugzilla.proxmox.com/show_bug.cgi?id=701
blacklist nvidiafb

Intel Microcode Blacklist /etc/modprobe.d/intel-microcode-blacklist.conf 

# The microcode module attempts to apply a microcode update when
# it autoloads.  This is not always safe, so we block it by default.
blacklist microcode

AMD Microcode Blacklist /etc/modprobe.d/amd64-microcode-blacklist.conf 

# The microcode module attempts to apply a microcode update when
# it autoloads.  This is not always safe, so we block it by default.
blacklist microcode

MDADM Module /etc/modprobe.d/mdadm.conf 

# mdadm module configuration file
# set start_ro=1 to make newly assembled arrays read-only initially,
# to prevent metadata writes.  This is needed in order to allow
# resume-from-disk to work - new boot should not perform writes
# because it will be done behind the back of the system being
# resumed.  See http://bugs.debian.org/415441 for details.

options md_mod start_ro=1

Required Additional configurations

We are adding several additional confgiuration files for improving server security. We name the files so we know what setting goes into what confgiuration file. All files are automatically loaded as logn as the file extensions is .conf

File Systems

For File System Hardening we add /etc/modprobe.d/hardening-filesystems.conf 

install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false
#install cifs /bin/true
install nfs /bin/true
install nfsv3 /bin/true
install nfsv4 /bin/true
install ksmbd /bin/true
#install gfs2 /bin/true

Network Protocols

For Network Protocol Hardening we add /etc/modprobe.d/hardening-network-protocols.conf 

install dccp /bin/false
install sctp /bin/false
install rds /bin/false
install tipc /bin/false
install n-hdlc /bin/false
install ax25 /bin/false
install netrom /bin/false
install x25 /bin/false
install rose /bin/false
install decnet /bin/false
install econet /bin/false
install af_802154 /bin/false
install ipx /bin/false
install appletalk /bin/false
install psnap /bin/false
install p8023 /bin/false
install p8022 /bin/false
install can /bin/false
install atm /bin/false

Others

For Additional drivers Hardening we add /etc/modprobe.d/hardening-other.conf 

install vivid /bin/false
install bluetooth /bin/false
#install btusb /bin/false
install uvcvideo /bin/false
#install usb-storage /bin/false
install firewire-core /bin/false