All Products
Document Center

Harden Rsync

Last Updated: May 08, 2018

Rsync is a utility for efficiently transferring and synchronizing files across computer systems, by checking the timestamp and size of files.

Most applications use the Rsync service immediately after starting it. However, without being hardened, Rsync may have unauthorized access and other security problems caused by improper configuration. This may expose the transmission data to the Internet and impose a serious data leakage issue.

We recommend that you follow the best security practices in this article to harden your Rsync service.

Hardening solutions

Hide module information

Modify the configuration file to the following:

  1. list = false

Enable permission control

Set the permission for modules that do not need write permission to read only:

  1. read only = true

Limit network access

Use Security group policies or a whitelist to only allow certain hosts to access the service.

  1. hosts allow =

Enable account authentication

Only allow specified users to use the Rsync service with specified password.

  • Server-side configuration

    1. auth users = ottocho
    2. secrets file = /etc/rsyncd.secrets

    Enter password in the /etc/rsyncd.secrets file. The format is username:password in each line.

    Note: Create a strong password for each user. The password must contain at least eight characters, and include uppercase and lowercase letters, numbers, and special characters. The password here is in plain text.

  • Client-side configuration

    On client-side, you can use the —password-file=/etc/rsyncd.secrets parameter to write the password in /etc/rsyncd.secrets.

    1. Rsync -av --password-file=/etc/rsyncd.secrets /des/path

The usernames in /etc/rsyncd.secrets must be consistent with the auth users in the configuration, and the permission must be 600.

Enable encrypted transmission

Rsync does not enable encrypted transmission by default. If you need to use Rsync to process data with high importance, you can use the SSH mode.

Rsync supports the following synchronization modes:

  • Rsync uses SSH when the host name of the source or destination path is followed by a colon delimiter.
  • Rsync uses TCP to directly connect to the Rsync daemon when the host name of the source or destination path is followed by two colons, or when rsync://URL is used.

After SSH configuration is complete, the following method is recommended:

  1. Rsync -av /des/path