Skip to content
PortsDB

Port reference

Port 873 (TCP) – rsync daemon

rsync daemon — native rsync protocol for module-based file synchronization.

tcpWell-knownCommonly attacked

Default state

Open only where rsyncd is run as a service (mirrors, backups). Frequently misconfigured with anonymous, world-readable modules.

Common attacks

  • Anonymous module enumeration and download (data exfiltration)
  • Writable modules abused to upload or overwrite files
  • Cleartext credential and data interception over the network
  • Path traversal / module misconfiguration exposing the filesystem

Hardening

  • Require auth (auth users + secrets file); disable anonymous access
  • Set 'read only = yes' and tightly scope each module's path
  • Bind to a management interface and firewall TCP 873 from the internet
  • Prefer rsync over SSH (port 22) instead of the standalone daemon
  • Use 'hosts allow'/'hosts deny' and keep rsync patched

nmap snippet

nmap -p873 --script rsync-list-modules <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 873?

Port 873 is the rsync daemon (rsyncd), which serves files over rsync's native protocol using named modules that map to directories. It is widely used to run public mirrors, push backups, and synchronize content between servers, since rsync transfers only the changed parts of files. Unlike rsync-over-SSH, the standalone daemon listens directly on TCP 873.

Why it matters for security

The native daemon protocol is cleartext and its authentication is optional and weak — a shared secrets file at best. The most common failure is a module left anonymous and world-readable, so anyone who reaches port 873 can list it and download everything inside, which is a frequent cause of accidental data leaks. A module configured writable is worse: it lets attackers upload or overwrite files, potentially tampering with mirrored software or backups.

How it's attacked

Attackers scan TCP 873 and enumerate modules, then download their contents for data exfiltration. Writable modules are abused to plant or overwrite files. On the network, the cleartext protocol exposes any credentials and data to interception, and misconfigured module paths can expose far more of the filesystem than intended.

Hardening checklist

Require authentication with auth users and a protected secrets file, and disable anonymous access. Set read only = yes and scope each module's path tightly; avoid writable modules. Bind the daemon to a management interface and firewall TCP 873 from the internet, and use hosts allow/hosts deny. Where possible, prefer rsync over SSH (port 22) for encryption and strong auth. The nmap snippet above lists exposed modules on a host you are authorized to test.

Related ports

Port 22Port 21Port 2049Port 69

Frequently asked questions

Is the rsync daemon on port 873 encrypted?
No. The native rsync daemon protocol on TCP 873 is cleartext with weak optional auth. For confidentiality and strong auth, run rsync over SSH (port 22) instead.
Why are anonymous rsync modules dangerous?
An anonymous, world-readable module lets anyone who reaches port 873 list and download its files — a common cause of accidental data exposure on public mirrors.