• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2306
  • Last Modified:

How To properly secure rsync traffic from onsite ReadyNAS to offsite ReadyNAS

Ok i am trying to setup my first offsite backup and right now both boxes are in the same building rsyncing nightly without encryption (obviously)...now i want to be ready when i take it offsite and not have to poke at it for days to get it to work...i want to make sure it is working before hand...i have a little experience with stunnel but next to none with linux\unix commands...not to mention i don't have all the options most people have becasue i am using the rsync feature native to the readynas boxes...so my thought was to run stunnel on the local server and point the localnas to the internal server running stunnel and have it redirect to a secure port then on the other end i have an ISA 2006 firwall and i will have the box behind it...now i can't change the port the readynas listens on (to my knowledge) so how would i make the redirection back to the normal rsync port of 873 so it will send it to the box on my network...here is a rough diagram of what i am trying to say


ReadyNAS box on client network--->firebox---cloud---ISA Firewall--->Readynas box on my network


how do i make sure the data is encypted during this process, can it be done with stunnel?

any help is appreciated
0
lacunabridge
Asked:
lacunabridge
  • 4
  • 3
1 Solution
 
ai_ja_naiCommented:
easy, use SSH.
add the option -e ssh and you are set. Of course, both destination and source must have ssh installed. This way the script will ask for passwords every time, but you can use key based autentication to work it around.
Example:

rsync -aze ssh user@host:/path/to/source /path/to/destination

and you are done :)
0
 
Hedley PhillipsOwnerCommented:
Run through this guide I use:

Installing ssh and rsync on a Windows machine: minimalist approach
http://optics.ph.unimelb.edu.au/help/rsync/rsync_pc1.html
0
 
ai_ja_naiCommented:
Oh, sorry, I didn't notice you needed for Windows Server.. then also this guide is good http://ist.uwaterloo.ca/~kscully/CygwinSSHD_W2K3.html
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
lacunabridgeAuthor Commented:
Hey guys, thanks for the prompt responses but i don't think my problem is that simple...see the NAS devices don't have any native ssh support...here is what i am going to try and i think i already have it working...please tell me if it is way off and why...not only do i want this to work but i want to learn why it works...anyway


here is what i did

i installed stunnel as the client on the clients in house server...then i installed stunnel (as a server with pem cert) on my server where the offsite box will be located here is how everything points


Client NAS rsync-->server running stunnel listening on 873 then redirects to offsite public ip address through port 22-----------Internet-----------ISA 2006 forwards port 22 to my server running stunnel server listening on port 22 that then redirects to the offsite local ip address of the nas box with the 873 port number


is that secure or am i missing something....thats what i don't grasp...i know 22 is the ssh port but does that mean anything sent through that port is secure?



thanks guys
0
 
ai_ja_naiCommented:
Mh, the traffic between offsite public and server should be actually crypted (but not between server and NAS).
If you are dubious try to dump the traffic with tcpdump on ISA 2006 and see if you can take a peek on packets' content. If you can, the traffic is in clear and your data is unsecure. If not, you are ok.
Practice is always better than unverified theory.

Otherwise, you may run ssh on your final server that mounts, as a network filesystem, your NAS' disks. Rsync would contact your server, that redirects the stream of clear and uncrypted data on the NAS device.
0
 
lacunabridgeAuthor Commented:
sorry i haven't responded to anyone, im waiting for a few things to happen before i troubleshoot this again this week
0
 
ai_ja_naiCommented:
If you want to know if a traffic is secured, put a sniffer in the middle of the crypted line and try to dump the traffic. if you get garbage, then you are secured
0
 
lacunabridgeAuthor Commented:
i am guessing that the solution givin isn't the best but i have been too sidtracked to try any of it, if anyone has a problem with my decision, please let me know and ill do what i can to make everyone happy.

thanks for your time
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now