08 October 2010

checklist RO rsync server

Setting up a new RO RSYNC server setup

The primary usage case is we describe is how to deploy a read-only RSYNC server with no end user accounts, to be used for distribution of content (here, to move a builder result archive that is intentionally NOT 'visible' from the internet to a more capable transfer server) From there, the content is integrated into a internal archiving server, and after that, to a publicly accessible binary archive, accessible through ftp, rpm, or yum

As before, we start with a freshly deployed, and hardened PMman instance. At all times, we will strive to follow proper sysadmin 'best practices' discipline under SElinux, wrappers and iptables

Install and enable rsync, which is the package holding the stock rsync daemon. As rsync supports wrappers, we also need the xinetd which is the package holding the stock inetd in recent Red Hat derived distributions -- Let's get started:

  1. yum can do the install trivially

    yum install rsync xinetd

  2. Then enable the needed services:

    /sbin/chkconfig rsync on
    /sbin/chkconfig xinetd on

  3. We need to do some configuration for the rsync daemon as to permissions and directories to serve:

    [root@trap64 etc]# cd /etc
    [root@trap64 etc]# cat rsyncd.conf
    # motd file = /etc/rsyncd.motd
    log file = /var/log/rsyncd.log
    pid file = /var/run/rsyncd.pid
    lock file = /var/run/rsync.lock

    [trap64]
    path = /var/ftp/pub/local
    comment = x86_64 fruit
    uid = nobody
    gid = nobody
    read only = yes
    list = yes
    # auth users = username
    # secrets file = /etc/rsyncd.scrt
    hosts allow = 10.0.0.0/24 127.0.0.0/24
    hosts deny = 0.0.0.0/0

    [root@trap64 etc]#

  4. Set up the iptables -- I do not recall the rsync daemon port off the top of my head, so I look it up:

    [root@trap64 etc]# grep rsync /etc/services | head -2
    rsync 873/tcp # rsync
    rsync 873/udp # rsync
    [root@trap64 etc]#

    ... so the port is 873

    # localhost can do all ...
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    # ...
    # rsync daemon
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.0.0.0/8 --dport 873 -j ACCEPT
    # ...

  5. Open the wrappers

    #
    ALL: ALL@127.0.0.1
    #
    # ...
    #
    rsync: ALL@10.0.0.0/255.0.0.0
    #

  6. Restart the wrappers enforcing daemon

    [root@trap64 sysconfig]# /sbin/service xinetd restart

  7. Test it:

    [root@trap64 sysconfig]# rsync localhost::
    trap64 x86_64 fruit
    [root@trap64 sysconfig]#

  8. To put it into production on a client, we can use something like this:

    #!/bin/sh
    #
    # this file: /root/bin/update-archive.sh
    # Copyright (c) 2010 R P Herrold
    # License: GPLv3+
    #
    # ln -s /root/bin/update-archive.sh /etc/cron.hourly/
    #
    export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
    umask 022
    # -- non local content goes into the mirror constellation
    [ ! -e /var/ftp/pub/mirror/pmman/RPMS/x86_64/ ] && \
    mkdir -p /var/ftp/pub/mirror/pmman/RPMS/x86_64/
    #
    # export VERBOSE="-v "
    export QUIET="-q "
    #
    /usr/bin/rsync -a ${VERBOSE} ${QUIET} --exclude=working \
    trap64.darkside.lan::trap64/pmman/RPMS/x86_64/. /var/ftp/pub/mirror/pmman/RPMS/x86_64/.
    chown -R root.root /var/ftp/pub/mirror/pmman/RPMS/x86_64
    #
  9. All done

Earlier in this series:

 Function  Link 
hardening http://www.pmman.com/usage/hardening/ 
 lftp  http://orcorc.blogspot.com/2010/08/mirroring-upstream-master-with-lftp-to.html 
 RO vsftpd  http://orcorc.blogspot.com/2010/07/checklist-ro-ftp-server-setup.html 
 RO NFS  http://orcorc.blogspot.com/2010/08/nfs-aide-to-memory.html 
Posted by at
Labels: , , , , ,