Offering an RSync Module over the Internet with SSH

  • Hi,


    First, sorry for the question on the last version OMV. I’m hoping this is an easy answer.

    I want to be able to synch files with a partner far away. I’d like to expose an rsync connection from OMV to the outside world via SSH with SSH Key Authentication.

    Of course, I need to forward the correct port from my router to my OMV. But, I don’t want to expose the ssh login to the outside world.

    And here is where I get stuck. Is there a simple way to set this up so that my partner can sync with certain modules (shares) on the OMV on my network, using key authentication without exposing SSH login as well?

    I hope this question makes sense. I searched this forum and I think I don't understand enough about rsync and ssh to understand the other similar questions.

    For what it’s worth, I have configured SFTP from the omv-extras to do exactly what I want (router is forwarded to port xxxxx, the sftp service is listening/responding on that port, we can authenticate with the ssh public key, and use the shares that I’ve granted access, and ssh login from outside my lan is not permitted). Now I’d like to do the same type of thing with rsynch instead of sftp.

    Is this possible and easy with OMV4?


    Thanks,
    Steve

  • Why don't you want to expose an ssh port? If you have password auth turned off, there is little risk. Use a non-standard port and fail2ban would make it even better.


    rsync can sync via rsync or rsync over ssh. You shouldn't use rsync directly over the internet. rsync over ssh is very good. You can still specify modules this way.

    omv 5.5.17-3 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.4.2
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Thanks for your thoughts on using rsynch over ssh (using a non-standard port and potentially fail2ban). That makes sense.


    Why didn't I want to do this? I know enough about UNIX networking from days of old to be concerned about security, and I don’t know nearly enough about ssh tunnelling and modern linux/debian/omv configuration to feel confident configuring things so they are secure.


    What i liked about the OMV sftp plug is how straightforward the gui menus are to set it up. It was easy to move an sftp listener to a non-standard port, and it was also simple to create users and assign the shares they access (especially after reading the key info in your old forum posts about the sftp-access privilege group).

    I would like to see the same configuration options under the rsync service in the OMV gui for rsync over ssh. Rsync seems just slightly more complicated because you have to make changes to the ssh service while you’re configuring the rsynch servive and make sure it’s all secure. I will also have to remember the relation between the ssh configuration and the rsynch configuration years from now when I go to change something else so that i don’t open up a new security hole. (Although I should remember not to enable login :P)


    Although it would be nice for me at least, It looks like rsync on OMV doesn’t offer those options exactly. I feel a bit more confident setting it up after your thoughts though.


    One more question: Is is possible to listen for ssh connections on 2 ports ? (Probably be changing config files because I’m pretty sure it’s not an option from the omv menus.) If that’s possible can I disable password auth on one port but not the other?


    My idea would be to leave port ssh on 22 with passwd auth on my LAN so I can keep administering things the way I’m used to. I would offer another ssh listener for rsync on an open non-standard port that rejected password auth. (This would be more or less what the sftp plugin seems to be doing for sftp.) I’ll google around for answers, but curious about your thoughts.


    Thanks

  • Although it would be nice for me at least, It looks like rsync on OMV doesn’t offer those options exactly.

    It does but they have to manually typed in the remote text field.


    My idea would be to leave port ssh on 22 with passwd auth on my LAN so I can keep administering things the way I’m used to. I would offer another ssh listener for rsync on an open non-standard port that rejected password auth.

    I have my internal systems running on port 22 but use port forwarding on my pfsense box to forward from a different listening port on the internet. There is no way to have a second port or enable password auth with my port forwarding setup. You would need to start another ssh daemon similar to how the sftp plugin does. If you copied the current sshd config, changed the port and password auth, copied the unit file, changed config in the new unit file, did a systemctl daemon-reload, and enabled/started the new unit file, you would have the second port to do what you want. It just wouldnt be maintained by omv.

    Why didn't I want to do this? I know enough about UNIX networking from days of old to be concerned about security, and I don’t know nearly enough about ssh tunnelling and modern linux/debian/omv configuration to feel confident configuring things so they are secure.

    I consider ssh with password auth disabled to be just as secure as vpn and have had an ssh port open on the internet for 15+ years. You don't need to worry about Linux.

    omv 5.5.17-3 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.4.2
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

    Edited once, last by ryecoaaron ().

  • :thumbup:— cool thanks . Yes, now that you mention it I could also forward my external port to internal port 22. That’s a good tip for me.


    Thanks for the thoughts and tips on staring a new sshd. I will try this at some point. I think you gave me enough to go on.


    And, I trust linux to be secure—I don’t trust myself to understand all the config issues so I get nervous with security. That’s why I prefer to stick with the easy menus on OMV when I can. (I’ve really come to appreciate the OMV set up and menus—so thanks to he OMV team). You point out all the places I need to be aware, and so that helps me relax.


    Thanks again.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!