How to configure an rsync daemon module

An rsync daemon module exposes one server-side directory as a named endpoint such as rsync://mirror.example.com/public/. That gives LAN clients a pull target for mirrors, package caches, or release files without giving those clients shell accounts on the server.

In daemon mode, rsync reads /etc/rsyncd.conf and maps each bracketed module name to a filesystem path. The packaged rsync.service on Debian and Ubuntu starts rsync --daemon --no-detach only after /etc/rsyncd.conf exists, so that file is the active systemd configuration surface.

A read-only module named public can limit access to a client network and still prove access through both a module listing and a real download. Native rsync daemon traffic is not SSH-encrypted, so keep TCP port 873 on trusted networks, behind a VPN, or behind an authenticated module design.

Related: How to copy files over SSH with rsync
Related: How to limit rsync bandwidth during a transfer

Steps to configure an rsync daemon module:

  1. Install the rsync package on the server if it is not already installed. 
    $ sudo apt install rsync
  2. Create the directory that the daemon module will publish. 
    $ sudo mkdir -p /srv/rsync/public
  3. Add or copy the files that clients should be able to pull into the module directory. 
    $ sudoedit /srv/rsync/public/release.txt
    /srv/rsync/public/release.txt
release 2026.06

    The client smoke test uses one readable file named release.txt. For a real mirror, copy the files that clients should receive into the same directory tree.

  4. Open the daemon configuration file. 
    $ sudoedit /etc/rsyncd.conf
  5. Define a read-only module for the published directory. 
    /etc/rsyncd.conf
[public]
    path = /srv/rsync/public
    comment = Public file distribution
    read only = yes
    list = yes
    uid = nobody
    gid = nogroup
    use chroot = yes
    hosts allow = 192.0.2.0/24 127.0.0.1
    hosts deny = *
    Setting Purpose
    [public] Names the module that clients use in rsync://mirror.example.com/public/.
    path Points the module at the server-side directory to publish.
    read only Allows clients to download without uploading into the module.
    list Shows the module when clients request the daemon's module list.
    uid / gid Runs file access as a low-privilege account after the daemon accepts the connection.
    hosts allow / hosts deny Limits which client addresses may connect to this module.

    Replace 192.0.2.0/24 with the client network that should reach the module. Leave hosts deny = * in place when the module should be closed to every other source address.

  6. Allow TCP port 873 from the client network if a host firewall is enabled. 
    $ sudo ufw allow from 192.0.2.0/24 to any port 873 proto tcp

    Use the firewall tool that manages the server. The ufw command is only the common Ubuntu example.

  7. Start and enable the rsync daemon service. 
    $ sudo systemctl enable --now rsync

    On current Debian and Ubuntu systems, /etc/default/rsync is for init.d systems and does not enable the systemd service.

  8. Confirm the service is running with the packaged daemon command. 
    $ systemctl status rsync
● rsync.service - fast remote file copy program daemon
     Loaded: loaded (/usr/lib/systemd/system/rsync.service; enabled; preset: enabled)
     Active: active (running) since Sat 2026-06-06 03:55:20 UTC; 8s ago
   Main PID: 1842 (rsync)
      Tasks: 1 (limit: 4652)
     Memory: 684.0K
        CPU: 12ms
     CGroup: /system.slice/rsync.service
             └─1842 /usr/bin/rsync --daemon --no-detach

    If the service fails immediately, inspect journalctl -u rsync for a configuration, permission, or port-binding error.

  9. List the daemon modules from a client that is allowed by hosts allow. 
    $ rsync rsync://mirror.example.com/
public          Public file distribution
  10. Pull the module contents into a temporary client directory. 
    $ rsync -av rsync://mirror.example.com/public/ ./public-test/
receiving incremental file list
created directory ./public-test
release.txt

sent 43 bytes  received 160 bytes  406.00 bytes/sec
total size is 16  speedup is 0.08

    The trailing slash after public/ copies the module contents into ./public-test/ instead of creating another directory level.

  11. Read the copied test file to confirm the client received module content. 
    $ cat ./public-test/release.txt
release 2026.06
  12. Remove the temporary client test copy after verification. 
    $ rm -rf ./public-test