
Secure your rsync shares - stevekemp
http://blog.steve.org.uk/secure_your_rsync_shares__please_.html
======
gketuma
I recently bought a lenovo ix2 NAS and was having some issues setting up
rsync. Decided to go to their forums and found out that they turn on rsync by
default and unsecure. So if you have this device connected to your network
with default settings (which I presume many people will do), anyone on the
internet can see your backups. Here is the comment from one person who made
the discovery and according to him, he can scan and see peoples backups.
[http://forums.lenovo.com/t5/Iomega-Network-
Storage/Security-...](http://forums.lenovo.com/t5/Iomega-Network-
Storage/Security-Vulnerability-in-Lenovo-
IX2-DL/m-p/1430085/highlight/true#M1618)

~~~
stevekemp
That's pretty bad, thanks for highlighting it.

I could certainly see patterns in the things that were exposed. A lot of hosts
exposed either:

* A single share called "squid".

* A pair of shares called "sql" & "www". That made me think of a control-panel of some kind.

------
UnoriginalGuy
What is interesting is that the rsync daemon is not something typically
enabled by default, you have to go in and manually turn it on, and if you
don't alter the configuration to add users and passwords, it simply won't
allow login at all.

So someone has gone out of their way to set up insecure rsync daemons.

I wonder if all of these open rsync daemons is due to a poorly configured
appliances like a NAS or some other "turn-key" vendor supplied kit. But even
then it is a strange thing to enable insecurely...

~~~
stevekemp
One of the comments below did mention an insecure-by-default NAS:

[https://news.ycombinator.com/item?id=7232518](https://news.ycombinator.com/item?id=7232518)

------
__david__
Part of me thinks the best way to bring attention to this is to make your
search engine and publish it.

I don't see how this exposes liability for you—is Google liable when people
leave their printer's/router's/fax's/whatever's web configuration interfaces
on the public internet with no password? I don't believe they are, and I've
seen a number of Google searches in the past on the Hacker News front page
linking to pages and pages of them.

However, like Google, you probably want to have a quick way for people to
remove their site from the index once they've discovered and secured it.

I, for one, would love to see a search engine of public rsync servers.

~~~
rlpb
The law is not an algorithm that can be applied to tell you whether something
is legal or not.

Both intent and context come into it heavily. If the majority of rsync shares
contain private data, such that your search engine is effectively a private
data search engine and can't really be used for anything else without
continuously stumbling across more private data, then it _could_ easily be
considered radically different from Google's situation.

~~~
lutusp
> The law is not an algorithm that can be applied to tell you whether
> something is legal or not.

That may be true in practice, but that's what the law is _supposed to be_ \--
an unambiguous social signaling system, that applies to all persons equally,
without vagueness or the possibility of terminological confusion.

If a given law can be shown to be vague or confusing, it can be declared
unconstitutional. Whether it _will_ be declared unconstitutional depends on
whether anyone is willing to fight about it in court.

But the principle of public law is -- yes! -- that it is an "algorithm that
can be applied to tell you whether something is legal or not." A failure in
this role represents a failure in the legal system itself.

> Both intent and context come into it heavily.

Absolutely false. Someone who breaks the law can't argue that their intent or
the context makes any difference. That might affect the punishment, but it
doesn't affect the question of guilt.

~~~
IanCal
> Absolutely false. Someone who breaks the law can't argue that their intent
> or the context makes any difference. That might affect the punishment, but
> it doesn't affect the question of guilt.

How would you explain the difference between murder and manslaughter then? If
someone dies on the operating table because the surgeon accidentally nicks an
artery that's different from them _actively trying to kill someone_. The act
is identical, only the intent is different.

Intent is, and should be, a deciding factor in whether or not someone is
guilty of a crime.

~~~
lutusp
>How would you explain the difference between murder and manslaughter then?

Circumstances, which can only affect the punishment, not the judgment that a
crime has taken place. But I already said this.

~~~
IanCal
Did you stop reading there?

> If someone dies on the operating table because the surgeon accidentally
> nicks an artery that's different from them actively trying to kill someone.
> The act is identical, only the intent is different.

In one case, there was a crime, in the other there wasn't.

> Circumstances, which can only affect the punishment, not the judgment that a
> crime has taken place. But I already said this.

The circumstances which change _the crime committed_. Not just punishment.

~~~
lutusp
I shouldn't have made my original claim without thinking about the fact that
there really are crimes that are defined by what is in a person's mind, apart
from their actions. One thought, acceptable. Another thought, crime. Thought
crime.

So I was being naive and you are right. And George Orwell was right.

~~~
GhotiFish
I, uh, don't know about that, but I will say that thought and intent are not
the same.

Thinking about murdering someone and not taking any action to that effect,
then actually killing that person; VS taking action to do it, strike me as
different.

It's possible that they are legally the same, but I doubt the court can do
much to prove thought without a confession.

IANAL

~~~
lutusp
> I, uh, don't know about that, but I will say that thought and intent are not
> the same.

True, but it's to some extent splitting hairs, because intent is often (but
not always) constructed from thoughts.

> Thinking about murdering someone and not taking any action to that effect,
> then actually killing that person; VS taking action to do it, strike me as
> different.

Most courtroom battles on these issues revolve around trying to reconstruct
intent based on things that actually happened and that can be presented as
testimony. Premeditation, for example -- the difference between degrees of
murder in many states -- might be inferred by a person's actions leading up to
a crime, and afterward.

> It's possible that they are legally the same, but I doubt the court can do
> much to prove thought without a confession.

It's commonplace for prosecutions to proceed on the basis of a record of
actions that are used to infer thoughts and intents.

------
ars
When installing a new machine one of the first things you should do is run

    
    
      netstat -tnlp | grep -v 127.0.0 | grep -v ::1:
    

Then uninstall or reconfigure anything that is listening remotely.

~~~
dsr_
The problem is rarely at installation time. The problem is three years later,
when you know that you've got rsync because it's so useful, but you don't
remember that you left rsyncd running.

Internal and external nmap sweeps: always a good idea*

*If you don't own the network, get permission first.

~~~
jimktrains2
If you have system monitoring tools, then you could make on of the things it
monitors a script that does netstat -plan | grep -v 127.0.0.1 | grep -v ::1 |
grep -v ssh | grep -v <anything you know should be running> | wc -l

~~~
ars
Don't use -a though :)

Use -t to avoid listing local sockets.

So -pltn not -plan

------
jonalmeida
Consider writing a post on how one can go about different ways to secure their
rsync shares.

I'd like to set one up, but I know close to nothing of how it works.

~~~
stevekemp
Please do see the comment later down, about the "hosts allow" setting for the
rsync-daemon.

But in short you either need to restricted access by IP, configure a password,
or disable the daemon and run rsync via SSH which avoids the problem entirely.

------
api
Google searches for things like "inurl:PAYROLL.XLS" are always good for a
hoot.

~~~
UnoriginalGuy
Many of the top results are organisations which are legally required to
publish their payroll (public universities, government agencies, and so on).

So it isn't quite as bad as it might immediately appear...

------
uslic001
What is best way to secure rsync shares?

~~~
SEJeff
Don't run rsync in daemon mode, only use it over ssh. Then there is no problem

~~~
RexRollman
Are rsync passwords normally plaintext is not over ssh?

------
mpchlets
Oh it's people like you that ruin security through obscurity :P

