Configure firewalld To Rate Limit Connections
An XCCDF Rule
Description
Create a direct firewall rule to protect against DoS attacks with the following command:
$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j INPUT_ZONES
Rationale
DoS is a condition when a resource is not available for legitimate users. When
this occurs, the organization either cannot accomplish its mission or must
operate at degraded capacity.
This requirement addresses the configuration of
the operating system to mitigate the impact of DoS attacks that have occurred or
are ongoing on system availability. For each system, known and potential DoS
attacks must be identified and solutions for each type implemented. A variety of
technologies exist to limit or, in some cases, eliminate the effects of DoS
attacks (e.g., limiting processes or establishing memory partitions). Employing
increased capacity and bandwidth, combined with service redundancy, may reduce
the susceptibility to some DoS attacks.
- ID
- xccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting
- Severity
- Medium
- Updated
Remediation - Ansible
- name: Configure rate limiting direct rule for firewalld
command: firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0
-p tcp -m limit --limit 25/minute --limit-burst 100 -j INPUT_ZONES
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- NIST-800-53-CM-6(a)
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
common_firewalld_ratelimit_args=(--direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j INPUT_ZONES)
if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then
firewall-offline-cmd "${common_firewalld_ratelimit_args[@]}"