After the heartbleed bug that made everyone upgrade their OpenSSL installations in fear of hackers getting access to login information I noticed that more and more comments with questions like “Did you restart the service after you patched it?”.
Even if running apt-get update && apt-get upgrade on a regular basis some services actually DO need to be restarted to benefit from the update. If the service is not restarted it is still running on the old code and most likely still vulnerable.
Debian has a nice app to check which services that needs to be restarted after an update/upgrade. It is called checkrestart and should be run after installing security updates. Install the app and add it to the maintenance and security tasks right away!
Installing is easy, run this command as root:
1
|
apt–get install debian–goodies
|
then check your status by running:
1
|
checkrestart
|
this is the result I got from one of my servers after the shell shock security issue:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
root@ks3358984:/home/mikho# checkrestart
Found 13 processes using old versions of upgraded files
(6 distinct programs)
(6 distinct packages)
Of these, 3 seem to contain init scripts which can be used to restart them:
The following packages seem to have init scripts that could be used
to restart them:
openssh–server:
18317 /usr/sbin/sshd
18319 /usr/sbin/sshd
udev:
2209 /sbin/udevd
cron:
3778 /usr/sbin/cron
These are the init scripts:
service ssh restart
service udev–mtab restart
service udev restart
service cron restart
These processes do not seem to have an associated init script to restart them:
login:
18326 /bin/su
bash:
18320 /bin/bash
18330 /bin/bash
|