Ssh – rsync server/daemon security

authenticationrsyncSecurityssh

I have a NAS (Netgear Readynas NV+) at home and a linux (Arch) box at work that is always on. The linux box is already running an ssh server/daemon and the NAS is already running an rsync server/daemon. The NAS does not support rsync over ssh. The way I understand it is I can either enable port forwarding on my home router to enable my linux box to initiate an rsync with the NAS or I can enable an rsync server on the linux box and allow the NAS to initiate the sync. Since my home router does not have a static ip address, I am leaning towards running an rsync server on the linux box.

Is one way more secure than another? Are there major security drawbacks to doing either?

Best Answer

Go with what's already setup, if ssh on the work box is already an open/monitored/supported/audited service then try to do the rsync via that. Not opening up new ports/services is generally safest. Not opening up insecure protocols to the internet is even better =)

You can get ssh access to the ReadyNas (if you don't mind some hassle from Netgear in the event of a "i deleted my nas" support call). Then rsync -e ssh from the command line which leaves nothing else to setup. Auth, wire security and user/file permissions are all provided by ssh/remote shell setup on work box.

For opening up ssh on your home network:

The dynamic IP hassles can be covered by running a free dynamic DNS service.
Restrict access to the port to your work box's public IP.
Some routers allow you to set a source IP in the NAT rule.
SSH can be secured with iptables and more

As DarkHeart mentioned, rsync by itself over an unsecure network is not a good idea. The tunnel and vpn mentioned is a good work around. You can keep the aforementioned ssh tunnel up with autossh. You may want to depend on some rsync security if your going to leave a tunnel up depending on who else has access to either end.

Also, if you haven't already, discuss what your doing with someone. Detail what data is going in/out of the network. Think about what data might be able to go out if everything goes wrong. Document your process somewhere.

I'll start with the raw facts :

You have: A - your FreeBSD box, B - your router and C - some machine with Internet access. This is how it looks like:

.-----.      .-----.                        .-----.
|  A  |  ==  |  B  |  - - ( Internet ) - -  |  C  |
'-----'      '-----'                        '-----'
\_________ ________/
          v
           `- this is your LAN

Notice how your router normally works: it allows connections from machines on your LAN to the Internet (simply speaking). So if the A (or any other machine on LAN) wants to access the Internet, it will be allowed (again, just talking about basic understanding and configuration) :

.-----.      .-----.                        .-----.
|  A  |  ==  |  B  |  - - ( Internet ) - -  |  C  |
'-----'      '-----'                        '-----'
      `-->----'  `--->--->---^

And the following is not allowed by default:

.-----.      .-----.                        .-----.
|  A  |  ==  |  B  |  - - ( Internet ) - -  |  C  |
'-----'      '-----'                        '-----'
      `--<----'  `---<--- - - - - --<---<-----'

(That is, the router protects the machines on your LAN from being accessed from the Internet.) Notice that the router is the only part of your LAN that is seen from the Internet¹⁾.

Port forwarding is what allows the third schema to take place. This consists in telling the router what connection from C²⁾ should go to which machine on the LAN. This is done based on port numbers - that is why it is called port forwarding. You configure that by instructing the router that all the connections coming on a given port from the Internet should go to a certain machine on LAN. Here's an example for port 22 forwarded to machine A:
```
.------.     .-------.                        .-----.
|  A   | ==  |   B   |  - - ( Internet ) - -  |  C  |
|      |     |       |                        '-----'
'-|22|-'     ',--|22|'                          |
    `--<-22---'    `---<---- - - - - - --<-22---'
```
Such connections through the Internet occur based on IP addresses. So a bit more precise representation of the above example would be:
```
.------.      .-------.                                .-----.
|  A   |  ==  |   B   | - - - - - ( Internet ) - - - - |  C  |
|      |      |       |                                '-----'
'-|22|-'      ',--|22|'                                   |
    `--<-A:22--'    `--<-YourIP:22 - - - - --<-YourIP:22--'
```
If you do not have an Internet connection with a static IP, then you'd have to somehow learn what IP is currently assigned to your router by the ISP. Otherwise, C will not know what IP it has to connect to in order to get to your router (and further, to A). To solve this in an easy way, you can use a service called dynamic DNS. This would make your router periodically send information to a special DNS server that will keep track of your IP and provide you with a domain name. There are quite a few free dynamic DNS providers. Many routers come with configuration options to easily contact with those.

_{¹⁾ This is, again, a simplification - the actual device that is seen to the Internet is the modem - which can often be integrated with the router, but might also be a separate box.

²⁾ or any other machine with Internet connection.}

Now for what you want:

Simply allowing ssh access to your machine from the Internet is a bad idea. There are thousands of bots set up by crackers that search the Internet for machines with open SSH port. They typically "knock" on the default SSH port of as many IPs as they can and once they find an SSH daemon running somewhere, the try to gain bruteforce access to the machine. This is not only a risk of potential break-in, but also of network slow-downs while the machine is being bruteforced.
If you really need such access, you should at least
- assure that you have strong passwords for all the user accounts,
- disallow root access over SSH (you can always log in as normal user and su or sudo then),
- change the default port on which your SSH server would run,
- introduce a mechanism of disallowing numerous SSH login attempts (with icreasing time-to-wait for subsequent attempts - I don't remember how exactly this is called - I had it enabled some time ago on FreeBSD and I recall it was quite easy - try searching some FreeBSD forums etc. about securing SSH an you'll find it.)
- If possible, try to run ssh daemon only when you know you will be accessing the machine in near future an turn it off afterwards
Get used to going through your system logs. If you begin noticing anything suspicious, introduce additional security mechanisms like IP tables or port knocking.

Ssh – How to debug SSH port forwarding

I am thinking you problem is not in the port forwarding, but another option in the NAT config in the router.

First, ensure if you use your LAN IP, you can successfully SSH from another machine on the network. This ensures SSH works at all.

Second, test from another machine outside the network using the public IP. This ensures that port forwarding works.

Third, test from that same machine outside the network and use the DynDNS URL. This ensures that DynDNS is working properly.

If all of those succeed, then nothing is wrong with your configuration (which I'll assume is correct) and you problem is only accessng the public IP (either directly or through DynDNS) from inside the network. This means that your router needs to have NAT reflection enabled (if possible) to route internal requests as if they were external requests for the public IP.

Best Answer

Related Solutions

SSH Port Forwarding – How to Access Home Machine from Anywhere

I'll start with the raw facts :

Now for what you want:

Ssh – How to debug SSH port forwarding

Related Question