Re: rsync backup



Tim Southerwood wrote:
Mark Shroyer coughed up some electrons that declared:

This still leaves him tunneling TCP over TCP, though, which he says
is something he'd like to avoid. Having Rsync use SSH as a sort of
transport layer instead of tunneled TCP (using the --rsh parameter)
is a better approach from the networking point of view.

Hi Mark,

Although it's giving me brain cancer to think about it, I'm not convinced
that rsync over an ssh tunnel is in the same category as TCP over a PPP VPN
over SSH.

On balance though, my solution is, I believe, one of the best from the
security POV (it avoids all of the ssh-as-root nastiness), which would lead
me, if it were my problem, to live with the networking issues and try to
tune them down by adjusting the TCP stack at my end, or if necessary, both
ends, or get the customer to fix their broken (IMHO) router.

Amen. I *think* I solved the problem by changing to a UDP based VPN from their end. (They can connect out using UDP, but the router won't forward incoming UDP connections - yes, it's broken - but it came free from their ISP.)

At least preliminary testing shows its working. :-)

--Yan
.



Relevant Pages

  • Re: rsync backup
    ... transport layer instead of tunneled TCP ... that rsync over an ssh tunnel is in the same category as TCP over a PPP VPN ... or get the customer to fix their broken router. ...
    (comp.os.linux.security)
  • Re: rsync backup
    ... that rsync over an ssh tunnel is in the same category as TCP over a PPP ...
    (comp.os.linux.security)
  • Re: Rsync problem - still unsolved
    ... not an ssh problem rather than an rsync problem. ... debug: client supports 1 auth methods: 'keyboard-interactive' ... Using keyboard-interactive authentication. ...
    (comp.security.ssh)
  • ssh v4.2p1 IPv6 TCP checksum error
    ... repeatedly encounter TCP checksum errors. ... on to the ssh problem... ... Internet Protocol Version 6 ... Transmission Control Protocol, Src Port: 41335, Dst Port: ssh ...
    (SSH)
  • Re: ipfw and nmap
    ... > even be correct but I have a bsd box that is simply providing me SSH ... add allow tcp from any to me 22 setup in via fxp0 keep-state ... Note too that there is nothing to prevent port scanners simply setting ... the 'SYN' flag in the probe packets they send to your server. ...
    (freebsd-questions)