Hi there, hope thats the right category, otherwis eplease move.
I have been trying to understand the implications of what Tom says here in his video:
I am wondering about what this means for security, as he says any device on the network. Okay I can limit it to a certain host. I would guess that the IP/ MAC could be spoofed. Meaning the data could be read? Later at minute 6:54 he repeats there is not really any security on this, as it is only filtering on the IP.
So I am wondering are there any way to secure this, or should I only transfer non-confidential information?
A quick claude consulting suggested to use SSH. So I guess rsync in general could be secured, looking at the suggested way by Tom in the video does not provide the SSH option?
I think Tom is really emphasizing the rsync IP restriction versus other methods (like SSH as you noted where you can secure via user ID and password or even SSL certificates on both client/source and server/target). I use rsync on a Synology (source) syncing to a remote Synology (target). My source and destination networks connect over a WireGuard VPN (1st layer of security). The rsync profile (documented well on the Synology wiki) further allows you to restrict the job to IP address and UID/GID on the target share. For me, that felt secure enough. When the data is at rest, Synology security is adequate to restrict direct access via whatever security you use for GUI to DSM or SSH to the target. I would not worry about the “stronger” protocols for transfer as long as you are well hardened for the access to the data at rest.
Despite the many Synology-to-Synology transfer options available, I actually found rsync, with task-specific triggering and rsync profiles, to work the best for my use case.
This comes down to risk tolerance. How likely is it that someone would put the effort in to figure out the IP / MAC of the system that the rule is restricted too, disable the IP of that systems to avoid the conflict and spoof it with another system to get the data? For me, that risk feels low, but if you are tasked with holding some data that people want bad enough, then maybe consider more secure measures.
Thanks guys for confirming! @LTS_Tom You are right, the effort would be high. On the other hand my nightmare is identity theft, and I am trying to avoid this at all cost.
On another note: Thanks for all your videos. Really like them, as they are helfpul and provide a narrative (e. g. on passkeys bypassing MFA).
A lot has already been said, and I’ll agree with Tom: it really comes down to your risk tolerance.
One thing worth pointing out, though: besides authentication security (which you could, at least in theory, make reasonably secure when using rsync in daemon mode — assuming the TrueNAS and Synology implementations do that), transmission in daemon mode is generally unencrypted. In theory, I think you can wrap SSL/TLS around it, but I have no idea if TrueNAS and/or Synology actually do that. If they do, then the transfer would be encrypted as well, but the complexity increases, and so does the risk of security vulnerabilities in the implementation.
Bottom line: if it’s going over the internet, I would definitely prefer SSH with key-based authentication. If it’s just between ttwo boxes on the LAN, it depends
Btw, as a general note: with a poorly implemented daemon, even SSH without keys and with Password123*$ would be more secure.
