Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] Restricting rsync to ssh only
On Wednesday 23 January 2002 15:05, Togan Muftuoglu wrote:

> Sorry if the question has been asked before and already replied then
> just point me rather sending flames as it has already been an extremely
> bad day.
>
> This is what I want to do
>
> I am placing a webserver on DMZ (192.168.2.2) apache is running
> chrooted via compartment the webpages are located at $CHROOT/webhome the
> directory and files are owned by wwwrun.nogroup
>
>
> I want to be able to run rsync to update the web pages however I only
> want to open the minimum number of ports in the firewall.
>
> The question is how can I force rsync to except communication from ssh
> only rather than from rsync port.

Just make sure you don't have the rsyncd enabled, by inetd, or running
standalone (if it can do that).

Taking a belt and braces approach, block daemons with hosts.allow and
host.deny, block the rsync port in your packet filter, comment out unwanted
daemons in inetd (consider if you really need inetd running at all). And
then run netstat -lp to see what programs are listening on what ports. It's
very similar to disabling Sun RPC portmapper.

Rob

< Previous Next >
References