Does rsync create a security risk?

[ams123]

Was thinking of installing rsync on my opnsense install for backup of my configuration.  Does that create any external WAN security risk?  I assume it only opens a port on the LAN side but wanted to get some input before installing.

[Evil_Sense]

Well rsync is just like scp a tool (& protocol) to transmit data (securely) it doesn't open any ports, there's rsyncd which is a deamon that listens for incoming connections ..

[franco]

The answer is yes, but then again any client exfiltrating data or server that lets users exfiltrate data is a potential security disaster waiting to happen if misconfigured / vulnerable. You can even think MITM for innocent clients dropping your private data somewhere they shouldn't.

That being said, you'll be fine, because a potential risk is inherent with what you are trying to achieve.

Don't open ports to WAN, trust your LAN clients / network / administrator and you'll be fine.


Cheers,
Franco

[schnipp]

Yes it does. Rsync does not provide any security for data in transit. So, direct use over networks could be dangerous. You need to encapsulate data transfer into an encrypted channel for confidentiality and integrity (e.g. ssh or stunnel). Furthermore, keep proper authentication in mind.

[fabian]

What may work is that you can use the nginx plugin version 1.4 in the future to encrypt the connection using TLS. Since rsync is not aware of it, you will have to do it on both sides. Another option is tunnelling over SSH.