Rsync Security

[mskenderian]

Iam trying to lock down my box while using rsync. Moving data from windows box to freenas. I am using DeltaCopy.

1) So making a new profile for the transfer, i notices, if anyone types in the boxes hostname, they can see all the rsync module i have created (i dont like this).

2) I setup user auth. works great. but i need to create a file on the local disk. with the username and passwords. and at restart, the files are gone. FreeNAS wiki says to look at additional parameters from rsyncd.conf(5). which states i need to add secrets file = /etc/rsyncd.secrets. so one issue is that on restart my newly created secrets file is gone. plus i dont even care for the auth rsync uses, because they state

"The authentication protocol used in rsync is a 128 bit MD4 based challenge response system." rather do SSH.

3) Another Issues under the rsync module settings for Hosts Deny it says

"This option is a comma, space, or tab delimited set of host which are NOT permitted to access this module. Where the lists conflict, the allow list takes precedence. In the event that it is necessary to deny all by default, use the keyword ALL (or the netmask 0.0.0.0/0) and then explicitly specify to the hosts allow parameter those hosts that should be permitted access. Leave this field empty to use default settings"

The keyword ALL does not work. I dont know if its a bug, or a typo. but 0.0.0.0/0 does work.

4) Given the weak security of the user auth. I rather setup rsync via SSH. and only SSH. How can i set this up while blocking anyone trying to connect to rsync without ssh?

Summary of Issues:
1) anyone can see my module names from with in the network.
2) Rsync Auth doesnt work cuase the secrets file gets delete on restart
3) Hosts Deny keyword ALL does not work as stated in the tool tip windows in freenas (0.0.0.0/0 works)
4) how can i deny all access expect if they are connect via SSH

 

[dlavigne]

2) I setup user auth. works great. but i need to create a file on the local disk. with the username and passwords. and at restart, the files are gone. FreeNAS wiki says to look at additional parameters from rsyncd.conf(5). which states i need to add secrets file = /etc/rsyncd.secrets. so one issue is that on restart my newly created secrets file is gone. plus i dont even care for the auth rsync uses, because they state

Please add a comment to http://support.freenas.org/ticket/395 to let the devs know that this is still an issue.

 

[delphij]

Iam trying to lock down my box while using rsync. Moving data from windows box to freenas. I am using DeltaCopy.

Anyone who is serious about "locking down" their system should disable rsyncd and only use rsync via SSH, period. (based on my search, DeltaCopy do support SSH[1]; and yes, you don't need to enable rsync service to have this work). rsyncd have very bad[2], track record in terms of security, plus, the protocol is not encrypted over wire.

Only use it if you either don't care about data safety, or you are running on a trusted, local network.

[1] http://www.aboutmyip.com/AboutMyXApp/DisplayFAQ.do?fid=1
[2] http://secunia.com/community/advisories/search/?search=rsync . rsync 3.x have some improvements but I still can't trust it.