Securing Rsync Transfers Over SSH: Best Practices for Unsecured Networks


11 views

When transferring sensitive data between servers across untrusted networks, standard rsync operations expose both your credentials and data. The fundamental problem isn't rsync itself - it's the transport layer. Here's why SSH wrapping makes sense:

# Typical vulnerable rsync:
rsync -avz /data user@remote:/backup  # Cleartext transmission!

For RHEL systems with older OpenSSH versions (pre-4.9), we need a tactical approach. The key is leveraging SSH's forced command feature in authorized_keys:

# Server-side ~/.ssh/authorized_keys
command="rsync --server --sender -vlogDtpre.iLsf . /srv/rsync/etl/" ssh-rsa AAAAB3...== client-key

Client invocation becomes:

rsync -avz -e "ssh -T -i ~/.ssh/secure_key" user@server::module /local/path

For systems supporting newer OpenSSH, combine with rssh for stricter confinement:

# /etc/rssh.conf
allowrsync
umask = 022
chrootpath = /srv/restricted

Create a system user with minimal privileges:

# Server setup:
useradd -d /var/empty -s /bin/false rsyncuser
mkdir -p /srv/rsync/jail/{etc,bin,lib64}
cp /bin/rbash /srv/rsync/jail/bin/

To maintain rsync's delta-transfer efficiency while securing it:

# Use compression and checksum caching:
rsync -az --checksum --compress-level=9 -e "ssh -C" src/ user@host:dest/

Verify your security with these commands:

# Check effective permissions:
ssh -v -T user@host
# Test jail breakout:
rsync -e ssh user@host:/etc/passwd /tmp/

When transferring sensitive data between servers, rsync's native protocol lacks encryption, making SSH tunneling essential. The core problem arises when dealing with legacy systems like RHEL4/RHEL5 that don't support modern OpenSSH features like SFTP chrooting.

The existing tar-based solution has two critical limitations:

command="cd /srv/rsync/etl && tar --exclude './lost+found' -pcf - ./" ssh-rsa...

1. Inefficient transfers (no delta-sync capability)
2. No native rsync features like checksum validation

Here's a robust implementation for legacy systems:

# Server-side authorized_keys restriction
command="rsync --server --sender -vlogDtpr --partial . /srv/rsync/etl/" ssh-rsa...

# Client-side execution
rsync -avz -e "ssh -T -i ~/.ssh/id_rsa" oracle@database.com:/srv/rsync/etl/ ./local_dir

For production environments, consider these additional measures:

# Restricted shell configuration
command="/usr/bin/rrsync -ro /srv/rsync/etl",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa...

# Rate limiting in sshd_config
Match User oracle
    MaxStartups 1
    MaxSessions 1

Combine SSH compression with rsync's delta algorithm:

rsync -avz --compress-level=3 --bwlimit=10000 -e "ssh -C -c aes256-ctr" \
    oracle@database.com:/srv/rsync/etl/ ./local_dir

Consider using mbuffer for network optimization:

ssh -T -i ~/.ssh/id_rsa oracle@database.com "cd /srv/rsync/etl && tar -cf - ." | \
    mbuffer -m 1G | tar -xf - -C ./local_dir