Fixing CentOS 6 Linux Systems from HeartBleed

Fixing “HeartBleed” on CentOS 6 Servers

 

Some of the on-line “tests” I have seen are not really testing to see if a particular site is vulnerable. Many seem to just look at the server version text, which can be changed to say anything you want. I used to recompile apache and put strange messages in there, just to be funny. This site, however actually launches an “attack”, which would most certainly tell you if your site is vulnerable or not:

http://filippo.io/Heartbleed/

I really can’t recommend any of the other ones, as I patched all my sites, and they were showing as a false positive. Just looking at a version number isn’t going to give you the correct answer. Launching an “attack” and seeing how your site really responds is the proper method of testing.

Here’s what I did on any public facing CentOS 6.5 server:

yum clean all && yum update "openssl*"

Then, to find out which services are compiled against the OpenSSL library:

lsof -n | grep ssl | grep DEL

Some common services:

Apache (httpd) OpenSSH (sshd) Sendmail (sendmail) Exim (exim) ProFTPd (proftpd) Pure-FTPd (pure-ftpd)

Double check and make sure your OpenSSL has been patched with this:

rpm -q --changelog openssl | grep -B 1 CVE-2014-0160

It should respond with something similar to this:

* Mon Apr 07 2014 Tomáš Mráz 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

You should also generate new SSH keys, and restart SSHd, as those are usually created on firstboot:

# rm -f /etc/ssh/ssh_host*key*; /etc/init.d/sshd restart

After all this is done, change your passwords to be extra safe.

Leave a Reply