Hardening our servers against Heartbleed

This weekend, a very serious OpenSSL vulnerability was published, causing system administrators all over the world to scramble to their consoles in order to update their systems so that they are no longer vulnerable.

For those less well-versed in system administration (like myself!), here's how to patch your system against heartbleed:

  • As root, run apt-get update && apt-get dist-upgrade, ensure that libssl is among the list of packages updated
root@server:~# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  ... truncated...
The following packages will be upgraded:
  ...
  libgnutls-openssl27 ... libssl1.0.0 ... openssl ...
105 upgraded, 20 newly installed, 0 to remove and 0 not upgraded.
Need to get 151 MB of archives.
After this operation, 218 MB of additional disk space will be used.
Do you want to continue [Y/n]? 
  • After upgrading, ensure that libssl1.0.0 is of this version or greater:
    • Ubuntu 13.10: 1.0.1e-3ubuntu1.2
    • Ubuntu 12.10: 1.0.1c-3ubuntu2.7
    • Ubuntu 12.04 LTS: 1.0.1-4ubuntu5.12
  • You can check by running apt-cache policy libssl1.0.0

You're not done yet!

After this, you have to ensure that any running services still using the old libssl library are purged.

The easiest way to do this is to just reboot your machine.

For advanced users, or those who would prefer not to restart, find all services still using the old ssl library by running lsof -n | grep ssl. Look for any entries with DEL. Purge them (reboot services, kill processes, etc) as necessary.

$ lsof -n | grep ssl

Further Reading