5.2.4 Ensure the number of connections per IP address is limited

Information

The maximum number of simultaneous connections allowed from a single IP address to your server should be limited. It should be set to a value that meets your organizational policies.

Rationale:

Limiting the number of simultaneous connections is an effective way to prevent slow denial of service attacks that try to use as many server resources as possible. This can also help prevent brute force attacks on a login page.

Impact:

Users of your system that are behind a corporate web proxy using network address translation or a proxy service such as tor may have an increased chance of being blocked due to this configuration. This is because multiple users in these scenarios come from the same IP address. You should always consider your user base when setting a connection limit.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Implement the below directives under the HTTP and server blocks of your nginx configuration or any include files. The below configuration creates a memory zone of 10 megabytes called limitperip. It will limit the number of connections per IP address to 10 simultaneous connections. The number of simultaneous connections to allow may be different depending on your organization's policies and use cases.

http {
limit_conn_zone $binary_remote_addr zone=limitperip:10m;
server {
limit_conn limitperip 10;
}
}

Default Value:

This value is not set by default.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-3, CSCv7|18.1

Plugin: Unix

Control ID: c780ba7a879acfe09e8816b7ac70cb731d8ef74fdb43a972dff9d324a653d38f