Rsync Security Configuration

0x00 Rsync Introduction

Rsync, remote synchronize is a software that implements remote synchronization. It can keep the permissions, time, soft and hard links, and other additional information of the original file while Synchronizing files.

Rsync uses the "rsync algorithm" to provide a fast way to synchronize files between clients and remote file servers. It can also transmit files through ssh, which ensures high confidentiality, in addition, it is free software.

Rsync includes the following features:

Update the entire directory, tree, and file system. You can choose to maintain the symbolic link, hard link, file type, permission, device, and time. For installation, there are no special permission requirements. For multiple files, the internal pipeline reduces the latency of file waiting. rsh, ssh, or direct port can be used as the transfer port. Anonymous rsync file synchronization is supported, is an ideal image tool;

 

0x01 set up Rsync server

Install Rsync and xinetd packages

$ yum -y install xinetd rsync

Make sure that xinetd runs in levels 3 or 4 or 5.

$ chkconfig --level 345 xinetd on

Modify the rsync xinetd configuration filedisable = yesChangedisable = no

$ vi /etc/xinetd.d/rsync

Create a password file for rsync, in the formatusername:password

$ vi /etc/rsyncd.secrets

Create rsync shared configuration file

$ vi /etc/rsyncd.conf

Add the following content:

Secrets file =/etc/rsyncd. secrets # password file location, authentication file Settings, set user name and password # motd file =/etc/rsyncd. motd # Welcome information file name and storage location (this file does not exist, you can add it on your own) read only = no # yes the read-only value indicates NO, which means read-only mode, data Recovery with NOlist = yesuid = nobody # Run rsyncgid = nobody [out] # Module name comment = Welcome # Welcome information path =/home/rsync/out # rsync synchronization path auth users = rsync # authorize an account, the authenticated user name. If this line is not used, the user name is anonymous. Multiple users are separated by commas. Hosts allow = X. X # username in IPauth users = username #/etc/rsyncd. secrets that can be accessed

Many other parameters are not used.

Bytes.

Modify permissions and ownership and restart the xinetd service:

$ chown root.root /etc/rsyncd.*$ chmod 600 /etc/rsyncd.*$ service xinetd restart

Then you can access the service by using the following command:

Download file:
./Rsync-vzrtopg -- progress -- delete username@xxx.xxx.xxx.xxx: out/home/test/getfile

Upload files:
/Usr/bin/rsync-vzrtopg -- progress/home/test/getfile username@xxx.xxx.xxx.xxx: out

Rsync synchronization Parameters

-In vzrtopg, v is verbose, z is compression, r is recursive, and topg is a parameter that maintains the original file attributes, such as owner and time. -- Progress refers to the display of detailed progress -- the delete parameter will delete the file under the original getfile directory to keep the client and server file system completely consistent username in the username@xxx.xxx.xxx.xxx is in the specified password file user Name, xxx is the IP address out, which is in rsyncd. the module name/home/test/getfile defined in conf indicates the local directory to be backed up.

If you do not want to enter the password again each time, you can use--password-fileParameters

/usr/bin/rsync -vzrtopg --progress /home/test/getfile  username@xxx.xxx.xxx.xxx::out --password-file=/test/rsyncd.secrets

In the/test/rsyncd. secrets file on the local machine, you only need to save the password. The user name is already in the Command and the permission should be 600.

0x02 Security Configuration SELinux

Check whether SELinux is running./etc/selinux/configConfiguration file, you can also run a command

$ sudo /usr/sbin/getsebool rsync_disable_transrsync_disable_trans --> off

Off indicates that no process can connect to rsync. Let's modify it and restart the xinetd service.

$ setsebool -P rsync_disable_trans 1$ service xinetd restart

IPTables Firewall

Add an iptables to the rsync port.

Only access from the internal network (192.168.101.0/24:

iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPTiptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

Rsync Security Configuration mainly involves two aspects: first, adding a user name and password, and second, restricting access to IP addresses.

Add the rsync user access permission. Note that the configuration is in rsyncd. conf:

Secrets file =/etc/rsyncd. secrets # password file location, authentication File Settings, set user name and password auth users = rsync # authorized account, authenticated user name. If this line does not exist, it indicates that it is anonymous and used by multiple users, separated.

In addition to adding allowed ip addresses to IPTableshosts allowYou can also set to allow only source ip addresses