How much is in-secure to use rsync in daemon mode without ssh

Mohammed Shannaq picture Mohammed Shannaq · Jan 11, 2012 · Viewed 17.1k times · Source

As we know we can use rsync via ssh to send files between computers especially in different network (e.g Internet) to have some secure transfers. (thats right and we all agree with it)

and as we know also rsync does not provide any security while transferring data using normal way therefore we use ssh as cover.

So the idea!.

If we use rsync in daemon mode (on the linux backup server located in England for example) and we start backing up the data from linux computers (from France for example) using the internet line without using ssh (just use the normal rsync daemon option)

example:

rsync -vazi --progress source rsync://[email protected]/somefolder/

So the question is

do you think this is a secure way?

if not , is there any one can know what we are transferring and what the content of the files we are transferring?.

also is there chance to catch the password which we entered when rsync prompt for the rsync user password?

I know that using ssh or stunnel is more secure. but really i want to know more about why is it in-secure while using the normal way especially when we are rsync data between computers over the Internet.

and Thanks for any answers.

Answer

fyr picture fyr · Jan 11, 2012

Rsync transactions without SSH are insecure because the protocol and the software itself does not include any content encryption. So if there is a man in the middle he can read/copy what you are backing up. Authentication can be read also.

You should consider either using SSH or VPN between your production and backup network.