Enabling Rsyncd with Backup Module and IPv6 on CentOS

July 6, 2011 Cody Backups

This guide will cover the set up of xinetd to accept incoming connections for an rsync daemon on redhat or centos 5.x systems. The rsync server daemon will have a backup module which defines the share to the client connection while setting options. Rsyncd is still supported by consumer NAS products or other remote backup software in conjunction with rsync shares.

This guide is known to work with Synology NAS products.

———————
*TIP of the Day*

If you plan to connect to the rsyncd share over the internet then I advise you to ENSURE and DOUBLE CHECK that your client configuration is passing the encryption switch. This switch is usually ‘-e’ when using the official rsync binary. You do not want your files being transferred in cleartext over the public internet. An even better solution would be a vpn tunnel between the two points.
———————

Setting up and Configuring Rsync Daemon

The first step will be to ensure we have rsync installed by checking the rpm database with the following command.

rpm -qa rsync

If no result is returned then go ahead and use ‘yum’ to install the package.

# yum install rsync

Now that rsync is installed, go ahead and create the rsyncd.conf file and insert the following configuration

# nano /etc/rsyncd.conf

This configuration is pretty neutral but there are tons of rsync options which can be defined. You could only allow certain hosts, deny other hosts, exclude certain files or filetypes from being uploaded, etc…

*Tip* Run the following command to read the manual page for rsyncd.conf

man rsyncd.conf

#motd file = /etc/rsyncd.motd
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
use chroot = no
max connections = 5
timeout = 300

#Define our backup module

[HomeBackup]
path = /backup/offsite-share
comment = offsite home backup
uid = nobody
gid = nobody
read only = no
list = yes
#Define our users that are allowed access
auth users = foo
secrets file = /etc/rsyncd.secrets

Now we need to create the log file that we defined in rsyncd.conf and restrict the permissions.

# touch /var/log/rsyncd.log

We want to ensure that only the root user can read or write the log file. We do not any other user browsing through the log file as it will contain connection information such as IP addresses which might make a good target for a future attack.

The command ‘chmod’ will be used to modify ‘group’ and ‘other’ by removing read permission.

# chmod go-r /var/log/rsyncd.log

# ls -lha /var/log | grep rsync
-rw------- 1 root root 0 Jul 5 10:18 rsyncd.log

Creating the directory we defined in our rsyncd.conf backup module will be the next step. We will also want to protect this directory from normal users as it could contain sensitive information that only the user who put it there or root should have access to.

# mkdir /backup/offsite-share

In the following example we can see what default permissions were used when creating the folder. Notice how ‘other’ has read permissions on the directory. This means anyone can read the files which is not good.

# ls -lha /backup | grep offsite
drwxr-xr-x 2 root root 4.0K Jul 5 10:16 offsite-share/

The first ‘chmod’ command will remove execute access from ‘group’ and ‘other’.

# chmod go-x /backup/offsite-share

The second ‘chmod’ command will remove read access from ‘other’.

# chmod o-r /backup/offsite-share

We are now left with a directory in which only root user can read/write/execute but the root group can read.

# ls -lha /backup | grep offsite-share
drwxr----- 2 root root 4.0K Jul 5 10:16 offsite-share/

Now we need to define and protect our rsyncd.secrets file while using the following style to insert ‘username:password’ string that can be used to password protect a share. I highly recommend enabling some type of authentication on the rsync share while restricting allowed hosts.

———————
*TIP of the Day*

Use a strong password of mixed characters and special charters that is at least 12 characters in length. Otherwise the password can be brute-forced by a bot attempt and leave your rsync share wide open for pilfering.
———————

# nano /etc/rsyncd.secrets

Insert your credentials like the following style username:password in your rsyncd.secrets file.

foo:t3mpr00t

Now we can see again that the rsyncd.secrets file when create gave read permission to the ‘group’ and ‘other’.

# ls -lha /etc/rsyncd.secrets
-rw-r--r-- 1 root root 15 Jul 5 10:32 /etc/rsyncd.secrets

Lets once again remove those permissions using the command ‘chmod’.

# chmod go-r /etc/rsyncd.secrets

The file is now nice and secure by only being readable/writeable via the root user.

# ls -lha /etc/rsyncd.secrets
-rw------- 1 root root 15 Jul 5 10:32 /etc/rsyncd.secrets

Installing Xinetd and Rsync Configuration

Next we can install xinetd which will allow the CentOS 5 to accept incoming connections with user authentication on behalf of rsyncd.

Once again go ahead and install ‘xinetd’, this normally is not install on CentOS 5 servers with a minimum base install.

# yum install xinetd

Now we set the xinetd service to start at boot to ensure it incoming connections are properly accepted after a reboot.

# chkconfig --level 345 xinetd on

You can view the run-levels that xinetd is set to start on with the following command.

# chkconfig --list xinetd
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

Edit the xinetd rsync configuration file to enable rsync service by setting ‘disable = yes’ to ‘disable = no’ like my example.

# nano /etc/xinetd.d/rsync

#set disable to no to enable rsync
service rsync
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = –daemon
log_on_failure += USERID
flags = IPv6
}

You can enable IPv6 connections for xinetd by using the statement ‘flags = IPv6’ as shown above. This will open rsyncd up to IPv6 clients so be sure to use ip6tables to open/secure port 873.

Go ahead and start the xinetd service now that it is configured.

# service xinetd start

Now we can check to ensure the xinetd is accepting connections by using netstat, we want to see port 873. If you do not want xinetd to listen on all addresses then you will need to ensure you properly configure that restriction.

# netstat -nap | grep xinetd
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 11741/xinetd
unix 2 [ ] DGRAM 28092695 11741/xinetd

The last step is to make the port 873 accessible to the outside world if we are going to be sending backups through the public internet.

# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 873 -j ACCEPT

# iptables-save

Testing the Rsyncd Configuration

To test the rsyncd service you can create a file ‘test’ and upload the file to the share via rsync from a remote system(or localhost).

Rsyncd will require the following syntax to upload a file, ‘rsync://foo@ip.ip.ip.ip/[Backup Module]’

# rsync -vP test rsync://foo@192.168.1.6/HomeBackup

Don’t forget to check your log file (/var/log/rsyncd.log) if you have any problems connecting to the rsyncd share. It will let you know weather the network connection is actually working between the two points. The log file is also useful for seeing if the password or ‘Backup Module’ defined by the client is valid.

This guide was made possible by everythinglinux.org


Leave a Reply

Your email address will not be published. Required fields are marked *

Powered by WordPress. Designed by elogi.