# rsync listing modules is a serious security hazard (according to the Dutch Ministerie van Economische Zaken en Klimaat)



## Ome Ko (Yesterday at 9:40 AM)

So basically this will be of interest to the Dutch rsyncing community, but I think there are some issues here that may be interesting to a broader audience too, since I had myself a bit of a learning experience in solving the issue.

Yesterday I got an email from an institution called the Digital Trust Center that seems to be part of the dutch Ministry for Economic Affairs and the Environment. As a non-follower of Dutch politics, I was thrilled to learn that our government finally made the link between economic activities and the environment. I was also happy with the fact that this ministry sent me the email to tell me that "a serious cybersecurity hazard was threatening my company".

That sounded like taxmoney well spent.

Turns out the Digital Trust Center - apparently by way of their shadowserver-proxy - found out they could list the rsync modules on one of my servers when connecting to port 873.
Now this setup has been in place for about 20-odd years and I can't remember looking at the rsyncd.log ever since. But it is actually true that a rsync-request from any ipaddress like rsync rsync://oneofmyservers.nl lists the modules that are available for rsync for certain IP numbers.

Now rsync allows you to set the allowed hosts for the daemon - which I did of course -, but I never realized that anyone regardless of this setting can view the modules that have the setting list = yes. 
So I changed that to 'no' on all the moduleconfigs.

Next I didn't really like the idea of kiddies (or my government) connecting to rsync at all. Not using any firewalls on my servers for some 20-odd years (bsd rules!) I opted for the good old tcpwrapper /etc/hosts.allow functionality.  Now for this to work (and to prevent you getting emails from the Dutch government) you have to remove the rsynd from the rc.d way of doing things:

chmod -x /usr/local/etc/rc.d/rsyncd
vi /etc/rc.conf and comment out rsync_enable="YES"

and use inetd to start rsync as a daemon:

vi /etc/inetd.conf
    rsync   stream  tcp     nowait  root    /usr/local/bin/rsync    rsync --daemon

Rsync knows where the configfile is (/usr/local/etc/rsync/rsyncd.conf) so you don't need to worry about that.

Next just edit /etc/hosts.allow to add

        rsync : ip.ip.ip.ip : allow
        rsync : ALL : deny

and our governement can go back to spending money on economic affairs (or the environment if there's anything left).

Hope this helps someone.


----------

