Securing Rsync Transfers Over SSH: Best Practices for Unsecured Networks


4 views

When transferring sensitive data between servers across untrusted networks, standard rsync operations expose both your credentials and data. The fundamental problem isn't rsync itself - it's the transport layer. Here's why SSH wrapping makes sense:

# Typical vulnerable rsync:
rsync -avz /data user@remote:/backup  # Cleartext transmission!

For RHEL systems with older OpenSSH versions (pre-4.9), we need a tactical approach. The key is leveraging SSH's forced command feature in authorized_keys:

# Server-side ~/.ssh/authorized_keys
command="rsync --server --sender -vlogDtpre.iLsf . /srv/rsync/etl/" ssh-rsa AAAAB3...== client-key

Client invocation becomes:

rsync -avz -e "ssh -T -i ~/.ssh/secure_key" user@server::module /local/path

For systems supporting newer OpenSSH, combine with rssh for stricter confinement:

# /etc/rssh.conf
allowrsync
umask = 022
chrootpath = /srv/restricted

Create a system user with minimal privileges:

# Server setup:
useradd -d /var/empty -s /bin/false rsyncuser
mkdir -p /srv/rsync/jail/{etc,bin,lib64}
cp /bin/rbash /srv/rsync/jail/bin/

To maintain rsync's delta-transfer efficiency while securing it:

# Use compression and checksum caching:
rsync -az --checksum --compress-level=9 -e "ssh -C" src/ user@host:dest/

Verify your security with these commands:

# Check effective permissions:
ssh -v -T user@host
# Test jail breakout:
rsync -e ssh user@host:/etc/passwd /tmp/

When transferring sensitive data between servers, rsync's native protocol lacks encryption, making SSH tunneling essential. The core problem arises when dealing with legacy systems like RHEL4/RHEL5 that don't support modern OpenSSH features like SFTP chrooting.

The existing tar-based solution has two critical limitations:

command="cd /srv/rsync/etl && tar --exclude './lost+found' -pcf - ./" ssh-rsa...

1. Inefficient transfers (no delta-sync capability)
2. No native rsync features like checksum validation

Here's a robust implementation for legacy systems:

# Server-side authorized_keys restriction
command="rsync --server --sender -vlogDtpr --partial . /srv/rsync/etl/" ssh-rsa...

# Client-side execution
rsync -avz -e "ssh -T -i ~/.ssh/id_rsa" oracle@database.com:/srv/rsync/etl/ ./local_dir

For production environments, consider these additional measures:

# Restricted shell configuration
command="/usr/bin/rrsync -ro /srv/rsync/etl",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa...

# Rate limiting in sshd_config
Match User oracle
    MaxStartups 1
    MaxSessions 1

Combine SSH compression with rsync's delta algorithm:

rsync -avz --compress-level=3 --bwlimit=10000 -e "ssh -C -c aes256-ctr" \
    oracle@database.com:/srv/rsync/etl/ ./local_dir

Consider using mbuffer for network optimization:

ssh -T -i ~/.ssh/id_rsa oracle@database.com "cd /srv/rsync/etl && tar -cf - ." | \
    mbuffer -m 1G | tar -xf - -C ./local_dir