NixOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-268158	SRG-OS-000420-GPOS-00186	ANIX-00-001610	SV-268158r1039362_rule	2024-10-25	1

Description
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.

Description

Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.

ℹ️ Check
Verify NixOS firewall enforces rate limits using the hashlimit module. $ sudo iptables -L \| grep limit nixos-fw-refuse tcp -- anywhere anywhere tcp dpt:ssh limit: above 1000000b/s mode srcip nixos-fw-refuse tcp -- anywhere anywhere tcp dpt:http limit: above 1000/min burst 5 mode srcip nixos-fw-refuse tcp -- anywhere anywhere tcp dpt:https limit: above 1000/min burst 5 mode srcip If the command does not produce any rate limiting rules, this is a finding.

ℹ️ Check

Verify NixOS firewall enforces rate limits using the hashlimit module. $ sudo iptables -L | grep limit nixos-fw-refuse tcp -- anywhere anywhere tcp dpt:ssh limit: above 1000000b/s mode srcip nixos-fw-refuse tcp -- anywhere anywhere tcp dpt:http limit: above 1000/min burst 5 mode srcip nixos-fw-refuse tcp -- anywhere anywhere tcp dpt:https limit: above 1000/min burst 5 mode srcip If the command does not produce any rate limiting rules, this is a finding.

✔️ Fix
Configure the NixOS firewall to enforce rate limits using the hashlimit module. For example, to limit SSH to 1 MB/s and to limit HTTP to 1000 connections / minute per IP, edit /etc/nixos/configuration.nix and add the following configuration settings: networking.firewall.enable = true; networking.firewall.extraCommands = '' ip46tables --append INPUT --protocol tcp --dport 22 --match hashlimit --hashlimit-name stig_byte_limit --hashlimit-mode srcip --hashlimit-above 1000000b/second --jump nixos-fw-refuse ip46tables --append INPUT --protocol tcp --dport 80 --match hashlimit --hashlimit-name stig_conn_limit --hashlimit-mode srcip --hashlimit-above 1000/minute --jump nixos-fw-refuse ip46tables --append INPUT --protocol tcp --dport 443 --match hashlimit --hashlimit-name stig_conn_limit --hashlimit-mode srcip --hashlimit-above 1000/minute --jump nixos-fw-refuse ''; Note: NixOS provides the helper script "ip46tables" to add rules using both "iptables" and "ip6tables". Rebuild the system with the following command: $ sudo nixos-rebuild switch

✔️ Fix

Configure the NixOS firewall to enforce rate limits using the hashlimit module. For example, to limit SSH to 1 MB/s and to limit HTTP to 1000 connections / minute per IP, edit /etc/nixos/configuration.nix and add the following configuration settings: networking.firewall.enable = true; networking.firewall.extraCommands = '' ip46tables --append INPUT --protocol tcp --dport 22 --match hashlimit --hashlimit-name stig_byte_limit --hashlimit-mode srcip --hashlimit-above 1000000b/second --jump nixos-fw-refuse ip46tables --append INPUT --protocol tcp --dport 80 --match hashlimit --hashlimit-name stig_conn_limit --hashlimit-mode srcip --hashlimit-above 1000/minute --jump nixos-fw-refuse ip46tables --append INPUT --protocol tcp --dport 443 --match hashlimit --hashlimit-name stig_conn_limit --hashlimit-mode srcip --hashlimit-above 1000/minute --jump nixos-fw-refuse ''; Note: NixOS provides the helper script "ip46tables" to add rules using both "iptables" and "ip6tables". Rebuild the system with the following command: $ sudo nixos-rebuild switch