rsync and security, to use ssh or not?

[ovizii]

Ok, so I run a smallish NAS and would now like to backup a machine onto it via rsync. Set up rsync in the freeNAS GUI and a cron job on the machine to be backed up, all working perfectly.

Now I was wondering if this is insecure, the transfer being over WAN. So I read up on using rsync over SSH but then thought about the following:

I don't "usually" expose anything on the freeNAS to the internet, everything I access remotely is exposed inside a jail for added security but I don't want to lose the nice freeNAS GUI for setting rsync up and run it inside a jail so I thought how about tunnelling rsync through SSH to a jail, meaning the freeNAS rsync service would only be exposed to this one specific jail and my rsync would still be talking to the rsync server only through a tunnel.

Would that be a solution and if yes, any pointers?

 

[ovizii]

Anyone got any pointers or opinions?
I was hoping to bounce this questions past someone with more experience.

 

[DifferentStrokes]

I'm not sure if the GUI supports it, but rsync does have a way to do ssh connections built in. If the GUI doesn't let you do it you can do it from the command line. It is doable however.

 

[airflow]

I understand your idea, and I suppose it's definitely doable. It comes down to the fact that you cannot prepare this setup (rsync via jail) completely via GUI, you would either have to 1) configure kind of port-forward or protocol-tunneling within the jail pointing to FreeNAS (your idea) or 2) configure the rsync-daemon manually directly in the jail and don't use the GUI at all for this. I personally prefer and already implemented the latter method, because it's simpler.

 

[Revolution]

Or maybe think about a VPN solution.

 

[ovizii]

I'm not sure if the GUI supports it, but rsync does have a way to do ssh connections built in. If the GUI doesn't let you do it you can do it from the command line. It is doable however.

Well, that is easy, all I need is a user on the freeNAS which is allowed to use SSH in and then tell rsync on the other side to use ssh. But this would be an SSH user on the NAS itself.

 

[ovizii]

I understand your idea, and I suppose it's definitely doable. It comes down to the fact that you cannot prepare this setup (rsync via jail) completely via GUI, you would either have to 1) configure kind of port-forward or protocol-tunneling within the jail pointing to FreeNAS (your idea) or 2) configure the rsync-daemon manually directly in the jail and don't use the GUI at all for this. I personally prefer and already implemented the latter method, because it's simpler.

That sounds more complicated, I thought its as easy as:
server => rsync => ssh tunnel => jail => NAS
meaning I start a tunnel which tunnels the rsync port through to my jail, where it exits and connects to the NAS.