How much is in-secure to use rsync in daemon mode without ssh

security networking rsync data-transfer
17,724

Solution 1

When you use SSH you gain not only confidentiality but you also gain authentication.

The confidentiality makes sure that nobody can see your data as it's being send over the internet. The authentication makes sure that you are actually connected to the right server (man in the middle attack like fyr mentioned). If your data isn't that important you may say something like "Hey, nobody's going to steal my data it's not that important".

The security issue which really worries me is the lack of authentication when you just do rsync without authentication. This means that anybody can connect and send data to or from your machine. Imagine someone's sitting anywhere in between the servers and they see an unauthenticated connection writing data via rsync. Now they know how to log into your server and dump and retrieve information. You've just created a free anonymous file dump for everyone. This may seem like not a big problem until people start using it for illegal purposes, or just dump a virus/rootkit onto your machine.

In my opinion there is no risk level 1-10 which can quantify this risk, it's simply unacceptable. It only takes a port scan to see that port is open, then a script may find the vulnerability.

Solution 2

Rsync transactions without SSH are insecure because the protocol and the software itself does not include any content encryption. So if there is a man in the middle he can read/copy what you are backing up. Authentication can be read also.

You should consider either using SSH or VPN between your production and backup network.

Share:
17,724
Mohammed Shannaq
Author by

Mohammed Shannaq

Web Developer

Updated on June 17, 2022

Comments

  • Mohammed Shannaq
    Mohammed Shannaq almost 2 years

    As we know we can use rsync via ssh to send files between computers especially in different network (e.g Internet) to have some secure transfers. (thats right and we all agree with it)

    and as we know also rsync does not provide any security while transferring data using normal way therefore we use ssh as cover.

    So the idea!.

    If we use rsync in daemon mode (on the linux backup server located in England for example) and we start backing up the data from linux computers (from France for example) using the internet line without using ssh (just use the normal rsync daemon option)

    example:

    rsync -vazi --progress source rsync://[email protected]/somefolder/

    So the question is

    do you think this is a secure way?

    if not , is there any one can know what we are transferring and what the content of the files we are transferring?.

    also is there chance to catch the password which we entered when rsync prompt for the rsync user password?

    I know that using ssh or stunnel is more secure. but really i want to know more about why is it in-secure while using the normal way especially when we are rsync data between computers over the Internet.

    and Thanks for any answers.

  • Mohammed Shannaq
    Mohammed Shannaq over 12 years
    okay , a man spying to me? or any man between the network? and What is the level of risk from 10 ? 1 lowest , 10 high risk
  • fyr
    fyr over 12 years
    Either someone which has access to your machine or anyone which has partial access to a node between your machine and the backup machine. Risk depends on the business value of your data but on a risk matrix this would be considered to be >10 because you send plain data over a network you do not control and you can not trust.
  • Grant McLean
    Grant McLean over 11 years
    The native rsync protocol can be used in anonymous mode but it does also support authentication. See the --password-file command-line option and the "secrets file" daemon configuration parameter. This allows you to give specific people/processes the ability to upload to specified areas of the filesystem without actually requiring a user account. Although the password itself is never sent across the network in plain text, your data still is.
  • Paolo
    Paolo about 6 years
    I don't think so. "Also note that the rsync daemon protocol does not currently provide any encryption of the data that is transferred over the connection. Only authentication is provided. Use ssh as the transport if you want encryption.". download.samba.org/pub/rsync/rsyncd.conf.html

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Best Way to Transfer Large Files in Windows
Error in configuring network security xml in android
network communication encryption in java
how to enable iptables tarpit?
Copy all bridge traffic to a specific interface
linux command to prevent dos attack by using netstat and iptables
Remote Access Trojan in Ubuntu?
What do LISTEN and ports mean in netstat?
Ubuntu - saying your security settings have blocked an application from running with an out-of-date version of java
How to protect from ARP spoofing