STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Anduril NixOS Security Technical Implementation Guide

V-268158

CAT II (Medium)

NixOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.

Rule ID

SV-268158r1131121_rule

STIG

Anduril NixOS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-002385

Discussion

Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.

Check Content

Verify NixOS firewall enforces rate limits using the hashlimit module.

$ sudo iptables -L | grep limit

nixos-fw-refuse tcp -- anywhere   anywhere   tcp dpt:ssh limit: above 1000000b/s mode srcip
nixos-fw-refuse tcp -- anywhere   anywhere   tcp dpt:http limit: above 1000/min burst 5 mode srcip
nixos-fw-refuse tcp -- anywhere   anywhere   tcp dpt:https limit: above 1000/min burst 5  mode srcip

If the command does not produce any rate limiting rules, this is a finding.

Fix Text

Configure the NixOS firewall to enforce rate limits using the hashlimit module.

For example, to limit SSH to 1 MB/s and to limit HTTP to 1000 connections / minute per IP, add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:

 networking.firewall.enable = true;
 networking.firewall.extraCommands = ''
  ip46tables --append INPUT --protocol tcp --dport 22 --match hashlimit --hashlimit-name stig_byte_limit --hashlimit-mode srcip --hashlimit-above 1000000b/second --jump nixos-fw-refuse
  ip46tables --append INPUT --protocol tcp --dport 80 --match hashlimit --hashlimit-name stig_conn_limit --hashlimit-mode srcip --hashlimit-above 1000/minute --jump nixos-fw-refuse
  ip46tables --append INPUT --protocol tcp --dport 443 --match hashlimit --hashlimit-name stig_conn_limit --hashlimit-mode srcip --hashlimit-above 1000/minute --jump nixos-fw-refuse
 '';

Note: NixOS provides the helper script "ip46tables" to add rules using both "iptables" and "ip6tables".

Rebuild and switch to the new NixOS configuration:
$ sudo nixos-rebuild switch