Rsync is a utility for efficiently transferring and synchronizing files across computer systems, by checking the timestamp and size of files.
Most applications use the Rsync service immediately after starting it. However, without being hardened, Rsync may have unauthorized access and other security problems caused by improper configuration. This may expose the transmission data to the Internet and impose a serious data leakage issue.
We recommend that you follow the best security practices in this article to harden your Rsync service.
Modify the configuration file to the following:
list = false
Set the permission for modules that do not need write permission to read only:
read only = true
Use Security group policies or a whitelist to only allow certain hosts to access the service.
hosts allow = 22.214.171.124
Only allow specified users to use the Rsync service with specified password.
auth users = ottocho
secrets file = /etc/rsyncd.secrets
Enter password in the
/etc/rsyncd.secretsfile. The format is
username:passwordin each line.
Note: Create a strong password for each user. The password must contain at least eight characters, and include uppercase and lowercase letters, numbers, and special characters. The password here is in plain text.
On client-side, you can use the
—password-file=/etc/rsyncd.secretsparameter to write the password in
Rsync -av --password-file=/etc/rsyncd.secrets test.host.com::files /des/path
The usernames in
/etc/rsyncd.secrets must be consistent with the auth users in the configuration, and the permission must be 600.
Rsync does not enable encrypted transmission by default. If you need to use Rsync to process data with high importance, you can use the SSH mode.
Rsync supports the following synchronization modes:
- Rsync uses SSH when the host name of the source or destination path is followed by a colon delimiter.
- Rsync uses TCP to directly connect to the Rsync daemon when the host name of the source or destination path is followed by two colons, or when
After SSH configuration is complete, the following method is recommended:
Rsync -av test.host.com:/path/to/files /des/path