Rsync Daemon guide and cheatsheet

Introduction

The Rsync Daemon allows Rsync to operate as a server, enabling efficient synchronization and transfer of files between networked systems. Unlike standard Rsync operations over SSH, the daemon provides fine-grained control via a dedicated configuration file. It is ideal for managing backups and synchronizations across multiple systems in a controlled environment, offering features such as user authentication, module-based permissions, and logging.

The Rsync Daemon provides a robust, efficient solution for managing file synchronization and backups across networked machines. With its module-based architecture, authentication mechanisms, and configuration flexibility, it offers significant advantages for system administrators managing large-scale backups. By following best practices and leveraging advanced features, you can optimize its performance and security for your environment.

This guide covers how to configure, use, and secure Rsync Daemon for effective server-side file synchronization.

Note: for a more general guide about Rsync see: Rsync guide and cheatsheet.

Setting Up Rsync Daemon

Installation

Ensure Rsync is installed on your server. Use the appropriate package manager for your system:

Debian/Ubuntu:

sudo apt update
sudo apt install rsync

RHEL/CentOS:

sudo yum install rsync

Fedora:

sudo dnf install rsync

Configuring Rsync Daemon

The configuration file for Rsync Daemon is typically located at /etc/rsyncd.conf. If it doesn’t exist, create it:

sudo nano /etc/rsyncd.conf

Example Configuration

Here is an example of a minimal rsyncd.conf configuration:

# Global settings
uid = nobody
gid = nogroup
use chroot = yes
read only = yes
max connections = 5
log file = /var/log/rsyncd.log

# Module definition
[backup]
    path = /srv/backup
    comment = Backup Directory
    auth users = backup_user
    secrets file = /etc/rsyncd.secrets

Configuration Explanation

• Global settings:
• uid/gid: Specifies the user and group the daemon runs as.
• use chroot: Improves security by running in a chroot jail.
• read only: Ensures files cannot be modified on the server.
• max connections: Limits the number of simultaneous connections.
• log file: Specifies the location of the log file.
• Module settings:
• [backup]: Defines a named module accessible by clients.
• path: The directory on the server for this module.
• comment: A description for the module.
• auth users: A comma-separated list of authorized users for this module.
• secrets file: Path to a file containing user credentials.

Creating the Secrets File

The secrets file stores usernames and passwords for authentication. Create it and set proper permissions:

sudo nano /etc/rsyncd.secrets

Add a line for each user in the format username:password:

backup_user:securepassword

Set permissions to secure the file:

sudo chmod 600 /etc/rsyncd.secrets

Starting the Rsync Daemon

Start the Rsync Daemon manually:

sudo rsync --daemon

To run it at startup, enable the service:

Systemd (modern Linux):

sudo systemctl enable rsync
sudo systemctl start rsync

Legacy systems:
Add the following line to /etc/rc.local:

/usr/bin/rsync --daemon

Connecting to Rsync Daemon

Use the following syntax to connect to an Rsync Daemon:

Syntax:

rsync [options] rsync://[user@]host[:port]/module [destination]

Example:
Synchronizing files from the backup module on a remote server:

rsync -av rsync://backup_user@192.168.1.100/backup/ /local/backup/

Using a Custom Port

If Rsync Daemon is configured to use a custom port, specify it in the command:

rsync -av rsync://backup_user@192.168.1.100:8730/backup/ /local/backup/

Troubleshooting Connection Issues

# Check firewall rules: Ensure port 873 (or your custom port) is open.
sudo ufw allow 873

# Verify the Rsync Daemon is running:
sudo systemctl status rsync

# Check logs: Examine the log file for errors:
sudo tail -f /var/log/rsyncd.log

Advanced Configuration

Limiting Bandwidth

Limit bandwidth usage per connection to 500 KB/s:

# Global settings
max bwlimit = 500

IP Restriction

Restrict access to specific IPs or networks:

hosts allow = 192.168.1.0/24
hosts deny = *

Custom Logging

Enable detailed logging for better auditing:

log format = %o %h [%a] %m (%t) %f %b

Read/Write Permissions

Allow write operations for a module:

[writeable-backup]
path = /srv/writeable
comment = Writable Backup Directory
read only = no

Automating Rsync Daemon Backups

Cron Job for Scheduled Backups

Add an Rsync command to the root user’s crontab for scheduled execution:

sudo crontab -e

Add a line to run Rsync daily at 2 AM:

0 2 * * * rsync -av rsync://backup_user@192.168.1.100/backup/ /local/backup/

Using Systemd Timer

Create a systemd service file:

sudo nano /etc/systemd/system/rsync-backup.service

Add the following:

[Unit]
Description=Rsync Backup

[Service]
ExecStart=/usr/bin/rsync -av rsync://backup_user@192.168.1.100/backup/ /local/backup/

Create a timer file:

sudo nano /etc/systemd/system/rsync-backup.timer

Add the following:

[Unit]
Description=Run Rsync Backup Daily

[Timer]
OnCalendar=--* 02:00:00
Persistent=true

[Install]
WantedBy=timers.target

Enable and start the timer:

sudo systemctl enable rsync-backup.timer
sudo systemctl start rsync-backup.timer

Security Best Practices

• Run as a dedicated user: Use a low-privileged user like nobody for the Rsync Daemon.
• Encrypt sensitive data: Use an SSH tunnel for extra security:

ssh -L 873:localhost:873 user@remotehost

• Regularly update Rsync: Keep the software updated to fix vulnerabilities.
• Audit logs: Periodically review logs for unauthorized access attempts.