Knowledge Base

How to fix the Heartbleed vulnerability on unmanaged servers

This article discusses the "Heartbleed" OpenSSL vulnerability, and how to fix it on your unmanaged server.

The information in this article only applies to the products listed in the Article Details sidebar. You must have root access to the server to follow the procedures described below.

About “Heartbleed”

The well-publicized “Heartbleed” vulnerability is a bug in certain versions of the OpenSSL library. If your unmanaged server is running one of the following operating system templates, it may be vulnerable:

  • CentOS 6.5
  • Debian 7 (Wheezy)
  • Ubuntu 12.04

To fix this vulnerability, you must update your server and restart any services that use the OpenSSL library. The most commonly affected services are web servers, SQL, and e-mail, though other services (such as Tor and OpenVPN) are also affected.

If you have automatic updates enabled on your server, then it has likely already been patched. To run an online test and determine whether or not a particular server is vulnerable, please visit http://filippo.io/Heartbleed.

Fixing the vulnerability

If your server is running one of the affected operating system templates listed above, follow the appropriate procedures below.

CentOS 6.5

To fix the HeartBleed vulnerability on CentOS 6.5, follow these steps:

  1. Install the latest updates on the server. For detailed information about how to do this, please see this article.
  2. Reboot the server or selectively restart any affected services:
    Web servers:
    • To restart the Apache web server, type the following commands:
      /etc/init.d/httpd stop
      /etc/init.d/httpd start
    • To restart the Nginx web server, type the following commands:

      /etc/init.d/nginx stop
      /etc/init.d/nginx start

    SQL services:

    • To restart MySQL, type the following commands:
      /etc/init.d/mysql stop
      /etc/init.d/mysql start
    • To restart PostgreSQL, type the following commands:

      /etc/init.d/pgsql stop
      /etc/init.d/pgsql start

    E-mail services:

    • To restart Postfix, type the following commands:
      /etc/init.d/postfix stop
      /etc/init.d/postfix start
    • To restart Exim, type the following commands:

      /etc/init.d/exim stop
      /etc/init.d/exim start
  3. Run the online test at http://filippo.io/Heartbleed to confirm that the server is no longer vulnerable.
Debian 7 and Ubuntu 12.04

To fix the HeartBleed vulnerability on Debian 7 (Wheezy) or Ubuntu 12.04 (Precise Pangolin), follow these steps:

  1. Install the latest updates on the server. For detailed information about how to do this, please see this article.
  2. Reboot the server or selectively restart any affected services:
    Web servers:
    • To restart the Apache web server, type the following commands:
      service apache2 stop
      service apache2 start
    • To restart the Nginx web server, type the following commands:

      service nginx stop
      service nginx start

    SQL services:

    • To restart MySQL, type the following commands:
      service mysql stop
      service mysql start
      
    • To restart PostgreSQL, type the following commands:

      service postgresql stop
      service postgresql start

    E-mail services:

    • To restart Postfix, type the following commands:
      service postfix stop
      service postfix start
    • To restart Exim, type the following commands:

      service exim stop
      service exim start
  3. Run the online test at http://filippo.io/Heartbleed to confirm that the server is no longer vulnerable.

More Information

For detailed information about the “Heartbleed” vulnerability, please visit http://heartbleed.com.