Полезная информация

Network services - rsync

 

rsync is an extremely efficient method for mirroring files, be it source code files of a CVS tree, a web site, or even this document. rsync preserves file permissions, links, file times and more. In addition to this, it supports an anonymous mode (which, incidentally, I use for the mirroring of this document) that makes life very easy for all concerned. The rsync program itself can act as the client (run from a command line or script) and as the server (typically run from inetd.conf). The program itself is quite secure: it does not require root privileges to run as a client nor as the server (although it can if you really want it to) and can chroot itself to the root directory of whatever is being mirrored (this however requires root privileges and can be more dangerous then it is worth). You can also map the user id and group id it will access the system as (the default is nobody for most precompiled rsync packages and is probably the best choice). In non-anonymous mode rsync supports usernames and passwords that are encrypted quite strongly using 128 bit MD4. The "man rsyncd.conf" page quite clearly covers setting up rsync as a server and making it relatively safe. The default configuration file is /etc/rsyncd.conf. It has a global section and module sections (basically each shared out directory is a module).

rsyncd.conf example:

motd file = /etc/rsync.motd # specifies a file to be displayed, legal disclaimer, etc.
max connections = 5 # maximum number of connections so you don't get flooded
[pub-ftp]
	comment = public ftp area # simple comment 
	path = /home/ftp/pub # path to the directory being exported
	read only = yes # make it read only, great for exported directories
	chroot = yes # chroot to /home/ftp/pub 
	uid = nobody # explicitly set the UID
	gid = nobody # explicitly set the GID
[secret-stuff]
	comment = my secret stuff
	path = /home/user/secret # path to my stuff
	list = no # hide this module when asked for a list
	secrets file = /etc/rsync.users # password file
	auth users = me, bob, santa # list of users I trust to see my secret stuff
	hosts allow = 1.1.1.1, 2.2.2.2 # list of hosts to allow

As you can see rsync is quite configurable, and generally quite secure, the exception being the actual file transfers which are not encrypted in any way. If you need security I suggest you use SSH to tunnel a connection, or some VPN solution like FreeS/WAN. Also make sure you are running rsync 2.3.x or higher as a potential root compromise was found in 2.2.x. Rsync is available at: http://rsync.samba.org/. Rsync runs on port 873, tcp.

ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 873
ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0 873
ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 873

or

ipchains -A input -p tcp -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 873
ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 873
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 873

Back

Security Portal

Written by Kurt Seifried