How to configure an rsync daemon module

An rsync daemon module exposes one server-side directory as a named endpoint such as rsync://mirror.example.com/public/. That gives LAN clients a pull target for mirrors, package caches, or release files without giving those clients shell accounts on the server.

In daemon mode, rsync reads /etc/rsyncd.conf and maps each bracketed module name to a filesystem path. The packaged rsync.service on Debian and Ubuntu starts rsync --daemon --no-detach only after /etc/rsyncd.conf exists, so that file is the active systemd configuration surface.

A read-only module named public can limit access to a client network and still prove access through both a module listing and a real download. Native rsync daemon traffic is not SSH-encrypted, so keep TCP port 873 on trusted networks, behind a VPN, or behind an authenticated module design.

Steps to configure an rsync daemon module:

Install the rsync package on the server if it is not already installed.
```
$ sudo apt install rsync
```
Create the directory that the daemon module will publish.
```
$ sudo mkdir -p /srv/rsync/public
```
Add or copy the files that clients should be able to pull into the module directory.
```
$ sudoedit /srv/rsync/public/release.txt
```
```
/srv/rsync/public/release.txt
release 2026.06
```
The client smoke test uses one readable file named release.txt. For a real mirror, copy the files that clients should receive into the same directory tree.
Open the daemon configuration file.
```
$ sudoedit /etc/rsyncd.conf
```

Define a read-only module for the published directory.

/etc/rsyncd.conf
[public]
    path = /srv/rsync/public
    comment = Public file distribution
    read only = yes
    list = yes
    uid = nobody
    gid = nogroup
    use chroot = yes
    hosts allow = 192.0.2.0/24 127.0.0.1
    hosts deny = *

Setting	Purpose
[public]	Names the module that clients use in rsync://mirror.example.com/public/.
path	Points the module at the server-side directory to publish.
read only	Allows clients to download without uploading into the module.
list	Shows the module when clients request the daemon's module list.
uid / gid	Runs file access as a low-privilege account after the daemon accepts the connection.
hosts allow / hosts deny	Limits which client addresses may connect to this module.

Replace 192.0.2.0/24 with the client network that should reach the module. Leave hosts deny = * in place when the module should be closed to every other source address.

Allow TCP port 873 from the client network if a host firewall is enabled.
```
$ sudo ufw allow from 192.0.2.0/24 to any port 873 proto tcp
```
Use the firewall tool that manages the server. The ufw command is only the common Ubuntu example.
Start and enable the rsync daemon service.
```
$ sudo systemctl enable --now rsync
```
On current Debian and Ubuntu systems, /etc/default/rsync is for init.d systems and does not enable the systemd service.

Confirm the service is running with the packaged daemon command.

$ systemctl status rsync
● rsync.service - fast remote file copy program daemon
     Loaded: loaded (/usr/lib/systemd/system/rsync.service; enabled; preset: enabled)
     Active: active (running) since Sat 2026-06-06 03:55:20 UTC; 8s ago
   Main PID: 1842 (rsync)
      Tasks: 1 (limit: 4652)
     Memory: 684.0K
        CPU: 12ms
     CGroup: /system.slice/rsync.service
             └─1842 /usr/bin/rsync --daemon --no-detach

If the service fails immediately, inspect journalctl -u rsync for a configuration, permission, or port-binding error.

List the daemon modules from a client that is allowed by hosts allow.

$ rsync rsync://mirror.example.com/
public          Public file distribution

Pull the module contents into a temporary client directory.

$ rsync -av rsync://mirror.example.com/public/ ./public-test/
receiving incremental file list
created directory ./public-test
release.txt

sent 43 bytes  received 160 bytes  406.00 bytes/sec
total size is 16  speedup is 0.08

The trailing slash after public/ copies the module contents into ./public-test/ instead of creating another directory level.

Read the copied test file to confirm the client received module content.
```
$ cat ./public-test/release.txt
release 2026.06
```
Remove the temporary client test copy after verification.
```
$ rm -rf ./public-test
```

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.