[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2294
  • Last Modified:

How To properly secure rsync traffic from onsite ReadyNAS to offsite ReadyNAS

Ok i am trying to setup my first offsite backup and right now both boxes are in the same building rsyncing nightly without encryption (obviously)...now i want to be ready when i take it offsite and not have to poke at it for days to get it to work...i want to make sure it is working before hand...i have a little experience with stunnel but next to none with linux\unix commands...not to mention i don't have all the options most people have becasue i am using the rsync feature native to the readynas boxes...so my thought was to run stunnel on the local server and point the localnas to the internal server running stunnel and have it redirect to a secure port then on the other end i have an ISA 2006 firwall and i will have the box behind it...now i can't change the port the readynas listens on (to my knowledge) so how would i make the redirection back to the normal rsync port of 873 so it will send it to the box on my network...here is a rough diagram of what i am trying to say


ReadyNAS box on client network--->firebox---cloud---ISA Firewall--->Readynas box on my network


how do i make sure the data is encypted during this process, can it be done with stunnel?

any help is appreciated
0
lacunabridge
Asked:
lacunabridge
  • 4
  • 3
1 Solution
 
ai_ja_naiCommented:
easy, use SSH.
add the option -e ssh and you are set. Of course, both destination and source must have ssh installed. This way the script will ask for passwords every time, but you can use key based autentication to work it around.
Example:

rsync -aze ssh user@host:/path/to/source /path/to/destination

and you are done :)
0
 
Hedley PhillipsCommented:
Run through this guide I use:

Installing ssh and rsync on a Windows machine: minimalist approach
http://optics.ph.unimelb.edu.au/help/rsync/rsync_pc1.html
0
 
ai_ja_naiCommented:
Oh, sorry, I didn't notice you needed for Windows Server.. then also this guide is good http://ist.uwaterloo.ca/~kscully/CygwinSSHD_W2K3.html
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
lacunabridgeAuthor Commented:
Hey guys, thanks for the prompt responses but i don't think my problem is that simple...see the NAS devices don't have any native ssh support...here is what i am going to try and i think i already have it working...please tell me if it is way off and why...not only do i want this to work but i want to learn why it works...anyway


here is what i did

i installed stunnel as the client on the clients in house server...then i installed stunnel (as a server with pem cert) on my server where the offsite box will be located here is how everything points


Client NAS rsync-->server running stunnel listening on 873 then redirects to offsite public ip address through port 22-----------Internet-----------ISA 2006 forwards port 22 to my server running stunnel server listening on port 22 that then redirects to the offsite local ip address of the nas box with the 873 port number


is that secure or am i missing something....thats what i don't grasp...i know 22 is the ssh port but does that mean anything sent through that port is secure?



thanks guys
0
 
ai_ja_naiCommented:
Mh, the traffic between offsite public and server should be actually crypted (but not between server and NAS).
If you are dubious try to dump the traffic with tcpdump on ISA 2006 and see if you can take a peek on packets' content. If you can, the traffic is in clear and your data is unsecure. If not, you are ok.
Practice is always better than unverified theory.

Otherwise, you may run ssh on your final server that mounts, as a network filesystem, your NAS' disks. Rsync would contact your server, that redirects the stream of clear and uncrypted data on the NAS device.
0
 
lacunabridgeAuthor Commented:
sorry i haven't responded to anyone, im waiting for a few things to happen before i troubleshoot this again this week
0
 
ai_ja_naiCommented:
If you want to know if a traffic is secured, put a sniffer in the middle of the crypted line and try to dump the traffic. if you get garbage, then you are secured
0
 
lacunabridgeAuthor Commented:
i am guessing that the solution givin isn't the best but i have been too sidtracked to try any of it, if anyone has a problem with my decision, please let me know and ill do what i can to make everyone happy.

thanks for your time
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now