Written by Kurt Seifried
rsync is an extremely efficient method for mirroring files, be it source code files of a CVS tree, a web site, or even this document. rsync preserves file permissions, links, file times and more. In addition to this, it supports an anonymous mode (which, incidentally, I use for the mirroring of this document) that makes life very easy for all concerned. The rsync program itself can act as the client (run from a command line or script) and as the server (typically run from inetd.conf). The program itself is quite secure: it does not require root privileges to run as a client nor as the server (although it can if you really want it to) and can chroot itself to the root directory of whatever is being mirrored (this however requires root privileges and can be more dangerous then it is worth). You can also map the user id and group id it will access the system as (the default is nobody for most precompiled rsync packages and is probably the best choice). In non-anonymous mode rsync supports usernames and passwords that are encrypted quite strongly using 128 bit MD4. The "man rsyncd.conf" page quite clearly covers setting up rsync as a server and making it relatively safe. The default configuration file is /etc/rsyncd.conf. It has a global section and module sections (basically each shared out directory is a module).
rsyncd.conf example:
motd file = /etc/rsync.motd # specifies a file to be displayed, legal disclaimer, etc. max connections = 5 # maximum number of connections so you don't get flooded [pub-ftp] comment = public ftp area # simple comment path = /home/ftp/pub # path to the directory being exported read only = yes # make it read only, great for exported directories chroot = yes # chroot to /home/ftp/pub uid = nobody # explicitly set the UID gid = nobody # explicitly set the GID [secret-stuff] comment = my secret stuff path = /home/user/secret # path to my stuff list = no # hide this module when asked for a list secrets file = /etc/rsync.users # password file auth users = me, bob, santa # list of users I trust to see my secret stuff hosts allow = 1.1.1.1, 2.2.2.2 # list of hosts to allow
As you can see rsync is quite configurable, and generally quite secure, the exception being the actual file transfers which are not encrypted in any way. If you need security I suggest you use SSH to tunnel a connection, or some VPN solution like FreeS/WAN. Also make sure you are running rsync 2.3.x or higher as a potential root compromise was found in 2.2.x. Rsync is available at: https://rsync.samba.org/. Rsync runs on port 873, tcp.
ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 873 ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0 873 ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 873
or
ipchains -A input -p tcp -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 873 ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 873 ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 873
| Written by Kurt Seifried |