Name in API: service_rsync
Breach Risk: Medium
Factor: Network Security
Summary
rsync is a utility commonly used for file transfers and backups across systems. When exposed to the public internet without proper security configurations, rsync can be a significant security risk. Attackers may exploit open rsync ports to enumerate or extract sensitive files from a system.
How does it work?
rsync uses TCP port 873 by default and facilitates efficient synchronization of files between systems. It compares files on the source and destination, transferring only the differences, which makes it popular for backups and replication.
Typical use cases:
- Incremental backups
- Data mirroring between servers
- Scripted or automated file transfers
graph TD
A[Start: External Scan] --> B{Is port 873 open?}
B -- No --> C[No rsync exposure]
B -- Yes --> D{Does server respond to rsync query?}
D -- No --> E[False positive or protected rsync]
D -- Yes --> F{Are rsync modules publicly listed?}
F -- No --> G[Limited exposure]
F -- Yes --> H[Confirmed rsync exposure]
H --> I{Modules contain sensitive info?}
I -- Yes --> J[Risk: Data exposure]
I -- No --> K[Risk: Recon potential]
Why it is a risk?
When rsync is:
- Publicly accessible (i.e., open port 873 on the internet)
- Misconfigured (e.g., lacks authentication or exposes sensitive directories)
- …it can be enumerated by attackers, allowing them to:
- View available modules (directories or files shared via rsync)
- Potentially download sensitive data
- Identify server structure or user information
- Use the information for lateral movement or data theft
Notable Risks:
- Data exposure without authentication
- Reconnaissance for broader attacks
- Unintended information disclosure
Self Evaluation
198.51.100.24 (for demonstration purposes only)(for demonstration purposes only)
Command to Test for rsync Exposure
nmap -p 873 --script rsync-list-modules 198.51.100.24
Note: This command checks for rsync modules exposed on port 873, which is the default rsync port. It simulates how SecurityScorecard detects rsync services that are open to the public internet.
đź“‹ Sample Output
Starting NmStarting Nmap 7.94 ( https://nmap.org ) at 2025-07-03 11:00 UTC Nmap scan report for 198.51.100.24 Host is up (0.040s latency). PORT STATE SERVICE 873/tcp open rsync Host script results: | rsync-list-modules: | files | backup | media |_ documents
What This Means
- Port 873 is open, indicating that the rsync service is publicly reachable.
- The server responds with a list of available rsync modules (
files,backup, etc.), which may potentially expose directory structures or allow unauthenticated data syncs if misconfigured. - This kind of exposure is considered a security risk, especially if no access controls or restrictions are in place.
How to Mitigate
If your organization is running an rsync service, it’s important to ensure it’s not unintentionally exposed to the public internet. Here are some practical steps you can take to reduce the risk:
- Disable rsync if it’s not needed
The simplest and most effective way to eliminate exposure is to turn off the service altogether if it's not actively in use. - Limit access to trusted networks
If rsync is required, make sure it's only accessible from within your internal network or through secure channels like a VPN. Avoid leaving it open to the public internet. - Use secure alternatives
Instead of exposing rsync directly, consider running it over an encrypted connection such as SSH. This adds a layer of protection and helps prevent unauthorized access. - Review and tighten configuration settings
Check your rsync configuration to ensure it’s not allowing anonymous access or exposing directories that contain sensitive information. Set up user authentication and restrict which systems can connect. - Regularly monitor for unintended exposure
Periodically scan your network to confirm that rsync services aren’t being publicly exposed. It’s a good idea to include this in your routine security checks. - Enable logging and review activity
Make sure logging is turned on for the rsync service and regularly review the logs for any unusual or unauthorized access attempts.
Remediation
Endpoint configuration has been changed
- Select the finding => other resolution => I can not reproduce this issue and i think it's incorrect
- Select the finding => Report As Fixed