NGINX must protect against denial-of-service (DoS) attacks.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-278404	SRG-APP-000435	NGNX-APP-001940	SV-278404r1171964_rule	2026-01-07	1

Description
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of applications to mitigate the impact of DoS attacks that have occurred or are ongoing on application availability. For each application, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the application opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. Satisfies: SRG-APP-000435, SRG-APP-000247

Description

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of applications to mitigate the impact of DoS attacks that have occurred or are ongoing on application availability. For each application, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the application opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. Satisfies: SRG-APP-000435, SRG-APP-000247

ℹ️ Check
Check for the "limit_req" or "limit_conn" directives in the NGINX configuration files: grep -R "limit_req\\|limit_conn" /etc/nginx/ Determine if NGINX App Protect is enabled: grep -R "app_protect_enable on" /etc/nginx/ If the "lmit_req" or "limit connections" are not present, this is a finding.

✔️ Fix
Define a connection limiting zone. Open the NGINX configuration file in a text editor: sudo nano /etc/nginx/nginx.conf Establish a shared memory zone to track and limit connections from each client. Add this directive above the server block in the nginx.conf: limit_conn_zone $binary_remote_addr zone=conn_limit_zone:10m; $binary_remote_addr: Uses the client's IP address for limiting. zone=conn_limit_zone:10m: Allocates 10MB of memory for tracking connections. Adjust size based on your needs. Apply connection limiting in the server block. Now, apply connection limiting to the desired location block. Inside the location block, add the connection limiting directive: nginx Copy code server { location / { limit_req zone=one burst=20 nodelay; limit_conn conn_limit_zone 10; proxy_pass http://backend; } } limit_conn conn_limit_zone 10: Limits the client to 10 concurrent connections. Save and exit the file. Restart NGINX: # nginx -s reload

✔️ Fix

Define a connection limiting zone. Open the NGINX configuration file in a text editor: sudo nano /etc/nginx/nginx.conf Establish a shared memory zone to track and limit connections from each client. Add this directive above the server block in the nginx.conf: limit_conn_zone $binary_remote_addr zone=conn_limit_zone:10m; $binary_remote_addr: Uses the client's IP address for limiting. zone=conn_limit_zone:10m: Allocates 10MB of memory for tracking connections. Adjust size based on your needs. Apply connection limiting in the server block. Now, apply connection limiting to the desired location block. Inside the location block, add the connection limiting directive: nginx Copy code server { location / { limit_req zone=one burst=20 nodelay; limit_conn conn_limit_zone 10; proxy_pass http://backend; } } limit_conn conn_limit_zone 10: Limits the client to 10 concurrent connections. Save and exit the file. Restart NGINX: # nginx -s reload