sslVersion = TLSv1.2 FIPS = no ; options = NO_SSLv2 ; options = NO_SSLv3 options = SINGLE_DH_USE options = SINGLE_ECDH_USE options = CIPHER_SERVER_PREFERENCE syslog = yes debug = 7 chroot = /var/empty setuid = nobody setgid = nobody curve = secp521r1 # use secp384r1 for www services ; Under inetd mode, there are no accept rules or service definitions, just a connect. ; Server: ; cert = /etc/pki/tls/certs/stunnel.pem ; connect = 127.0.0.1:rsync ; exec = /usr/bin/rsync ; this only works if you disable chroot/nobody/privsep ;execargs = /usr/bin/rsync --daemon --config=/etc/rsync.conf ; Client: client = yes connect = your.server.com:rsync-ssl ; best-practice ciphers https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ;# grep ^rsync /etc/services ;rsync 873/tcp # rsync ;rsync 873/udp # rsync ;rsync-ssl 874/tcp # rsync over ssl (I made this one up) ;# cat /etc/xinetd.d/rsync-ssl ;service rsync-ssl ;{ ; disable = no ; socket_type = stream ; wait = no ; user = root ; only_from = 1.2.3.4 5.6.7.8 ; server = /usr/sbin/stunnel ; server_args = /etc/stunnel/rsync-ssl.conf ;} ;# cat /etc/rsync.conf ;#motd = /etc/rsync.motd ;use chroot = yes ;uid = 0 ;gid = 0 ; ;[module-share] ; path = /your/module/path ; comment = foobar ; hosts allow = 127.0.0.1 ; read only = true ;# cd /treetop; rsync -v --archive --perms --owner --group --numeric-ids --force --delete --recursive 127.0.0.1::module-share . ;receiving incremental file list ;foo/bar.log ; ;sent 257534 bytes received 3012412 bytes 225513.52 bytes/sec ;total size is 3466069924 speedup is 1059.98