Trying to figure out exactly what services should be restarted after patching openssl against Heartbleed. At least one post mentions restarting:
sshd, apache, nginx, postfix, dovecot, courier, pure-ftpd, bind, mysql
- Is there a command that can be run to see what running services are dependent on openssl?
- Is there a command to run against apache/nginx to see if the patch is active so the service doesn't need to be restarted?
- Should we just schedule downtime and reboot every server entirely?
EDIT: This post suggests using: lsof -n | grep ssl | grep DEL
to display processes still using the old version of OpenSSL marked for deletion
As a general rule when mitigating a major vulnerability in a library which is used by many programs: rebooting your server is the easiest way to ensure you've restarted every affected program, and that nothing is using the old (vulnerable) code.
You should not fear rebooting your systems (you should be doing it pretty regularly when you install patches anyway!) - regularly rebooting your servers means you can be confident they will come back up without a problem, and if you design your environment for proper fault tolerance a reboot does not mean an outage. (For that matter even if your environment ISN'T fault-tolerant, we're talking maybe 10 minutes - a tiny outage considering the scale of the security problem we're talking about with heartbleed...)
If for some reason you can't reboot you can use
lsof
to determine what programs are running which are using the OpenSSL library:sudo lsof -n | grep ssl
To find ones using the OLD (deleted) library, you can do
sudo lsof -n | grep ssl | grep DEL
.Each affected program will need to be restarted using whatever procedure is appropriate for that program.