OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: ams123 on October 27, 2018, 11:19:36 pm

Title: Does rsync create a security risk?
Post by: ams123 on October 27, 2018, 11:19:36 pm

Was thinking of installing rsync on my opnsense install for backup of my configuration.  Does that create any external WAN security risk?  I assume it only opens a port on the LAN side but wanted to get some input before installing.

Title: Re: Does rsync create a security risk?
Post by: Evil_Sense on October 27, 2018, 11:23:14 pm

Well rsync is just like scp a tool (& protocol) to transmit data (securely) it doesn't open any ports, there's rsyncd which is a deamon that listens for incoming connections ..

Title: Re: Does rsync create a security risk?
Post by: franco on October 29, 2018, 08:20:15 am

The answer is yes, but then again any client exfiltrating data or server that lets users exfiltrate data is a potential security disaster waiting to happen if misconfigured / vulnerable. You can even think MITM for innocent clients dropping your private data somewhere they shouldn't.

That being said, you'll be fine, because a potential risk is inherent with what you are trying to achieve.

Don't open ports to WAN, trust your LAN clients / network / administrator and you'll be fine.


Cheers,
Franco

Title: Re: Does rsync create a security risk?
Post by: schnipp on October 29, 2018, 07:23:29 pm

Yes it does. Rsync does not provide any security for data in transit. So, direct use over networks could be dangerous. You need to encapsulate data transfer into an encrypted channel for confidentiality and integrity (e.g. ssh or stunnel). Furthermore, keep proper authentication in mind.

Title: Re: Does rsync create a security risk?
Post by: fabian on October 29, 2018, 07:59:19 pm

What may work is that you can use the nginx plugin version 1.4 in the future to encrypt the connection using TLS. Since rsync is not aware of it, you will have to do it on both sides. Another option is tunnelling over SSH.