Lighttpd must limit the number of simultaneous requests.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-89219	VRAU-LI-000005	SV-99869r1_rule		Medium

Description
Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Lighttpd is used for administrative purposes only. Lighttpd provides the maxConnections attribute of the <Connector Elements> to limit the number of concurrent TCP connections.

Description

Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Lighttpd is used for administrative purposes only. Lighttpd provides the maxConnections attribute of the <Connector Elements> to limit the number of concurrent TCP connections.

STIG	Date
VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide	2018-10-12

Details

Check Text ( C-88911r1_chk )
At the command prompt, execute the following command: grep 'server.max-connections = 1024' /opt/vmware/etc/lighttpd/lighttpd.conf If the "server.max-connections" is not set to "1024", commented out, or does not exist, this is a finding.

Fix Text (F-95961r1_fix)
Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf Configure the "lighttpd.conf" file with the following value: server.max-connections = 1024