most secure "rsync + ssh" setup , possibly for backups

This instructions are for a setup that pushes data (such as backups) from a localhost to a serverhost, using rsync in daemon mode, but tunneled inside an SSH connection, and making sure that if someone hacks into the localhost, they will not be able to use the backup machinery to hack into the serverhost. Note, all following commands should be executed as "root" user, or prepended by the "sudo" command.

Prepare serverhost

In the serverhost, create the script /usr/local/sbin/rsyncd_wrapper with the following content
#!/usr/bin/python
import sys, os, subprocess, string
if len(sys.argv) != 3 or sys.argv[1] != '-c' :
  print 'NO! ', repr(sys.argv)
  sys.exit(1)
a=string.split(sys.argv[2],' ')
if len(a) != 4 or a[0] != 'rsync' or \
    a[1] != '--server' or a[2] != '--daemon' or a[3] != '.' :
  print 'NO!! ', repr(sys.argv)
  sys.exit(1)
a=['/usr/bin/rsync','--config','/home/rsyncd/rsyncd.conf']+a[1:]
subprocess.call(a)
and dont forget
serverhost# chmod +x /usr/local/sbin/rsyncd_wrapper
Create special system user
serverhost# adduser --system rsyncd
serverhost# su rsyncd -s /bin/sh -c 'ssh-keygen'
serverhost# usermod rsyncd -s /usr/local/sbin/rsyncd_wrapper
serverhost# su rsyncd -s /bin/sh -c 'touch ~/.hushlogin'
Create the config file /home/rsyncd/rsyncd.conf for rsyncd,
serverhost# cp -i /usr/share/doc/rsync/examples/rsyncd.conf ~rsyncd/
and edit it at taste; add one or more 'backup' module, optionally enforce passwords, etc etc (see man rsyncd.conf). Here is an example /home/rsyncd/rsyncd.conf.
# sample rsyncd.conf configuration file
# GLOBAL OPTIONS
log file=/home/rsyncd/rsyncd.log
pid file=/home/rsyncd/rsyncd.pid
# MODULE OPTIONS
[backup]
        comment = backup space
        path = /bigdisk/backups
        use chroot = no
# the default for read only is yes...
        read only = no
        ignore nonreadable = yes
        transfer logging = no
        refuse options = checksum
        dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
        #for this , /bigdisk must be mounted with option user_xattr
        fake super = yes

Foreach localhost

On the localhost
localhost# ssh-keygen -f ~/.ssh/rsyncd
Copy the key in the serverhost, e.g. copy/paste between terminals using
localhost# cat ~/.ssh/rsyncd.pub
serverhost# su rsyncd -s /bin/sh -c 'nano -w ~/.ssh/authorized_keys'
Test it
localhost# rsync  -e "ssh -l rsyncd -i /root/.ssh/rsyncd" serverhost::
it should return the list of available modules. Backup what you want to backup
localhost# rsync -ax -e "ssh -l rsyncd -i /root/.ssh/rsyncd" /home serverhost::backup/localhost/.
If it works fine, put the backup command in an executable file in /etc/cron.daily/.

Why is this secure

IMHO this is quite secure, since the server part of the backups is the rsync daemon; the rsync daemon is a service that is worldwide offered on unprotected TCP/IP ports, and I would consider this to be quite secure; in my implementation moreover the rsync daemon is not listening on any public TCP/IP port, so it is quite protected. The other tool used is ssh with pub/private keys, enough said.
If someone hacks in the localhost, s/he may use the ssh key to open the connection to the serverhost, but all they would gain would be access to a rsync daemon; so the most damage they may do would be to the backupped files.

multiple local host backups

There are two layers of authentication, first layer by the ssh key, second possible layer by a rsync username/password. This method may be used to give backup access to multiple hosts, and/or to different users in the hosts. By setting multiple modules with username/passwords in /home/rsyncd/rsyncd.conf, the different backups may be isolated one from the others.

further developments

By adding the setuid/setgid permissions to the script /usr/local/sbin/rsyncd_wrapper, and changing the script a bit, then the rsync daemon may run as root, and so it may chroot; I have no idea if this would make it all more secure, or less secure.

Other sources

I read some people ideas before developing my own. Some random comments.
Valid HTML 4.01 Transitional