secure to use rsync in daemon mode without ssh
As we know we can use rsync via ssh to send files between computers especially in different network (eg Internet) to have some secure transfers. (thats right and we all agree with it)
and as we know also rsync does not provide any security while transferring data using normal way therefore we use ssh as cover.
So the idea!.
If we use rsync in daemon mode (on the linux backup server located in England for example) and we start backing up the data from linux computers (from France for example) using the internet line without using ssh (just use the normal rsync daemon option)
example:
rsync -vazi --progress source rsync://user@england-server.example.com/somefolder/
So the question is
do you think this is a secure way?
if not , is there any one can know what we are transferring and what the content of the files we are transferring?.
also is there chance to catch the password which we entered when rsync prompt for the rsync user password?
I know that using ssh or stunnel is more secure. but really i want to know more about why is it in-secure while using the normal way especially when we are rsync data between computers over the Internet.
and Thanks for any answers.
Rsync transactions without SSH are insecure because the protocol and the software itself does not include any content encryption. So if there is a man in the middle he can read/copy what you are backing up. Authentication can be read also.
You should consider either using SSH or VPN between your production and backup network.
When you use SSH you gain not only confidentiality but you also gain authentication.
The confidentiality makes sure that nobody can see your data as it's being send over the internet. The authentication makes sure that you are actually connected to the right server (man in the middle attack like fyr mentioned). If your data isn't that important you may say something like "Hey, nobody's going to steal my data it's not that important".
The security issue which really worries me is the lack of authentication when you just do rsync without authentication. This means that anybody can connect and send data to or from your machine. Imagine someone's sitting anywhere in between the servers and they see an unauthenticated connection writing data via rsync. Now they know how to log into your server and dump and retrieve information. You've just created a free anonymous file dump for everyone. This may seem like not a big problem until people start using it for illegal purposes, or just dump a virus/rootkit onto your machine.
In my opinion there is no risk level 1-10 which can quantify this risk, it's simply unacceptable. It only takes a port scan to see that port is open, then a script may find the vulnerability.
you can also use the "hosts allow = xxx.xxx.xxx.xxx" in the rsyncd.con module. After even if the attacker gets is hands on the user/password it only allow connection from the given host.
链接地址: http://www.djcxy.com/p/10306.html