How To Deal With The Heartbleed Bug

As I have to administer some Debian and Ubuntu machines running ISPConfig I thought it’s good idea to write a few notes on the latest “Heartbleed Bug”.

First of all it’s worth notify that OpenSSH which is commonly used to administer Linux machines is not affected by this bug that much so it’s not needed to re-generate the keys os if you do the classic update/upgrade procedure you should be fine..

As for the ISPConfig itself it’s not affected though the administration uses HTTPS so it’s wise to re-generate it’s certificates:

cd /usr/local/ispconfig/interface/ssl/

mkdir oldcert

mv ispserver.* oldcert/

openssl req -new -newkey rsa:4096 -days 3650 -nodes -keyout ispserver.key -out ispserver.csr

###

openssl x509 -req -days 3650 -in ispserver.csr -signkey ispserver.key -out ispserver.crt

###

chown ispconfig:ispconfig ispserver.*

chmod 750 ispserver.*

/etc/init.d/apache2 restart

Also it’s good idea to re-generate the certificates for pure-ftpd:
cd /etc/ssl/private/

mv pure-ftpd.pem pure-ftpd.pem.old

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

chmod 600 /etc/ssl/private/pure-ftpd.pem

/etc/init.d/pure-ftpd-mysql restart

and also postfix and dovecot:
cd /etc/postfix/

mv smtpd.cert smtpd.cert.old

mv smtpd.key smtpd.key.old

openssl genrsa -out smtpd.key 2048

openssl req -new -x509 -key smtpd.key -out smtpd.cert -days 3650

chmod 640 smtpd.key

/etc/init.d/postfix restart

/etc/init.d/dovecot restart

All the credit for the certificate regeneration process goes to guys at HowtoForge.com/forums.