9.1 Ensure the TimeOut Is Set Properly

Information

The 'TimeOut' directive controls the maximum time in seconds that Apache HTTP server will wait for an Input/Output call to complete. It is recommended that the 'TimeOut' directive be set to '10' or less.

Rationale:

One common technique for DoS is to initiate many connections to the server. By decreasing the timeout for old connections, the server can free resources more quickly and be more responsive. By making the server more efficient, it will be more resilient to DoS conditions.

**Important Notice**: There is a slow form of DoS attack not adequately mitigated by these control, such as the Slow Loris DoS attack of June 2009 [http://ha.ckers.org/slowloris/](http://ha.ckers.org/slowloris/). Upgrading to Apache 2.4 is recommended.

Solution

Perform the following to implement the recommended state:

Add or modify the 'Timeout' directive in the Apache configuration files to have a value of '10' seconds or less.

Timeout 10

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|9, CSCv7|5.1

Plugin: Unix

Control ID: 525dff905a058964ccb05888079a091caca7b82336bef1b70a00ef9a3d1d30e7