The original article:
https://tlanyan.pp.ua/use-rsync-daemon-to-sync-files-between-servers/

Always use the rsync command to quickly synchronize files between hosts, such as regularly backing up WordPress files and databases to other hosts.

I didn’t know much about rsync before, so I had been using shell mode to synchronize files. To avoid entering a password when connecting, distribute the public key across multiple hosts. Today realized that this has serious security implications: if one host is hacked, hackers can easily roam all the hosts!

So I looked at rsync again and found that I could use the rsync daemon to synchronize securely across hosts.

This paper links: https://tlanyan.pp.ua/use-rsync-daemon-to-sync-files-between-servers/

Secure synchronization across hosts using rsync daemon

There are three modes of working with rsync

There are three uses of the rsync command, corresponding to three modes of operation:

  • Native synchronization, similar to the cp command:

    Rsync [options] SRC DEST;

  • Shell remote synchronization, similar to the SCP command:

    \# Synchronize remote host files to host rsync [options] USER@HOST:SRC DEST \# Synchronize local files to remote host rsync [options] SRC = DEST

  • Daemon remote synchronization:

    Rsync USER@HOST::SRC DEST rsync USER@HOST::SRC DEST rsync USER@HOST::SRC DEST rsync USER@HOST::SRC DEST rsync

    Rsync [options] SRC USER@HOST::DEST rsync [options] SRC rsync:// nil /DEST

    The difference between shell and daemon modes is that shell mode uses a single colon:, while daemon mode uses two colon :: or is explicitly specified with rsync://.

The first two operating modes are relatively simple, and data synchronization can be performed by directly entering the source and target paths. The third usage differentiates between the client and the server and requires configuration on the server to work properly.

Next, we’ll look at using daemon for data synchronization.

The rsync daemon mode

Similar to V2Ray, the rsync command can be used as either a client or a server. We normally use rsync as a client, and the –daemon parameter becomes server mode.

Rsync is automatically configured on Ubuntu/Debian systems, but you need to install an additional rsync-daemon package to configure rsync:

# rsync sudo apt update sudo apt install -y rsync \# rsync sudo yum install -y rsync \# rsync sudo apt update sudo apt install -y rsync \ Rsync daemon sudo yum install -y rsync-daemon

The default configuration file for rsync daemon is /etc/rsyncd.conf. Ubuntu/Debian is not created by default. Edit /etc/rsyncd.conf and write something like this (the lines starting with the # sign are comments) :

\# rsyncd.conf has only a few global parameters, generally keep the default \# module starts with [module name], For instructions and values in the file \# rsyncd.conf, see man rsyncd.conf

Motd file = /etc/rsyncd.motd

# User and group id uid = root gid = root

Transfer Logging = No/Transfer Logging = No/Transfer Logging = No/Transfer Logging = No/Transfer Logging If this value is true, the client cannot upload read only = false \#. If this value is true, the client cannot download read only = false \#. By default, all host connections are denied

\# Username password file, each line format is: User name: password, for example \# Tlanyan :12343112 \# This file permission must be set to 600 unless strict mode is set to false secrets file = /etc/rsyncd.secrets

[BACKUP] \# COMMENT = BACKUP directory \# Request to its own path = / data \ # allows host IP hosts allow = xx. Xx. Xx. Xx \ # allows user name auth users = tlanyan \ # whether to allow list the module, suggest to no list = no

/etc/rsyncd.motd and /etc/rsyncd.secrets need to be created by yourself. For example:

Echo ‘Tlanyan :12343112′ >> /etc/rsyncd.secrets \#’ Rsync Daemon’ > /etc/rsyncd.motd \# Set password file permissions to chmod 600 /etc/rsyncd.secrets

Then start the rsync service:

\# CentOS/RHEL

systemctl enable rsyncd

systemctl start rsyncd

# Ubuntu/Debian service rsync systemctl enable rsync systemctl start rsync

The rsync daemon listens on port 873 by default. If the firewall is enabled, the port needs to be released (there is a security group in the background of Ali Cloud /AWS/GCP and other web pages, so you need to log in and release) :

Firewall-cmd –permanent –add-port=873/ TCP firewall-cmd –reload =873/ TCP firewall-cmd –reload

Iptables -i input-p TCP –dport 873-j ACCEPT iptables -i input-p TCP –dport 873-j ACCEPT

\# UFW allow 873/ TCP for Ubuntu/Debian

Synchronize files using rsync daemon

Next, synchronize the files on the authorized machine using the authorized user:

@server IP ::backup /var/www/data/

You need to enter the user’s password in rsyncd.secrets to connect. You can also specify the password file using –password-file instead of manually entering it each time:

Echo ‘12343112’ > secrets’ chmod 600 secrets’ # rsync-avp –password-file=secrets Authorized user @server IP ::backup /var/www/data/

Use in the same way as in shell mode, except for the two colons ::.

The rsync daemon summary

Using rsync daemon avoids security concerns when synchronizing across hosts, and allows you to specify authorized IP and authorized users, which is recommended in practice.

reference

1. Some considerations about rsync copying files

2. Rsync synchronizes and backs up files locally

3. WordPress backup scheme and backup script

4. Rsync installation and configuration practice