After the heartbleed bug that made everyone upgrade their OpenSSL installations in fear of hackers getting access to login information I noticed that more and more comments with questions like “Did you restart the service after you patched it?”.
Even if you run apt-get update && apt-get upgrade on a regular basis some services actually DO need to be restarted to benefit from the update. If the service is not restarted it is still running on the old code and most likely still vulnerable.
Debian has a nice app to check which services that needs to be restarted after an update/upgrade. It is called checkrestart and should be run after installing security updates. Install the app and add it to the maintenance and security tasks right away!
Installing is easy, run this command as root:
|
1 |
apt-get install debian-goodies |
then check your status by running:
|
1 |
checkrestart |
this is the result I got from one of my servers after the shell shock security issue:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
root@ks3358984:/home/mikho# checkrestart Found 13 processes using old versions of upgraded files (6 distinct programs) (6 distinct packages) Of these, 3 seem to contain init scripts which can be used to restart them: The following packages seem to have init scripts that could be used to restart them: openssh-server: 18317 /usr/sbin/sshd 18319 /usr/sbin/sshd udev: 2209 /sbin/udevd cron: 3778 /usr/sbin/cron These are the init scripts: service ssh restart service udev-mtab restart service udev restart service cron restart These processes do not seem to have an associated init script to restart them: login: 18326 /bin/su bash: 18320 /bin/bash 18330 /bin/bash |
2 comments for “checkrestart – Is your debian secure after an update?”