Scanning and Securing Rsync with Nmap

Rsync answered Nmap’s knock without hesitation.

When Nmap scans for running services, it can detect Rsync on TCP port 873. If misconfigured, that Rsync daemon can leak file lists, code repositories, or production assets to anyone who asks. This is not theory. Many exposed Rsync instances are found every week on public networks, often with anonymous read access.

To check for Rsync, run:

nmap -p 873 --script rsync-info <target>

This script identifies the Rsync version and available modules. If you see unprotected modules, it means the server shares data without authentication. Attackers can use the same simple commands to mirror entire directories.

Combine Nmap with rsync itself to probe deeper:

rsync rsync://<target>/<module>

If files start listing, your Rsync is exposed. From there, a penetration test may reveal sensitive paths, codebases, or backups.

Securing Rsync starts with disabling anonymous access, enforcing strong authentication, and binding to internal interfaces only. Use firewall rules to limit port 873 to trusted IPs. Keep the daemon updated to patch vulnerabilities.

Nmap plus Rsync is a fast combination for both security testing and exploitation. If you run network-facing Rsync, assume it will be found—scan it before someone else does.

Want to see scanning, detection, and secure configuration in action? Deploy a safe, live environment in minutes at hoop.dev and run it yourself.