Easy steps to cover yourself, since there's a lot of misinformation and FUD getting tossed around
1) Update your OpenSSL installations and libraries. If you are unable to move versions, or have a specific way you've compiled OpenSSL for any which way, you can cover your bases by recompiling any affected version with '
-DOPENSSL_NO_HEARTBEATS' to disable the vulnerable vector.
2) Revoke and renew your SSL certificates. Regenerate your SSH keys. Change your passwords, and any other credentials. The 'heartbleed' exploit dumps out the contents of the memory in 64K chunks, but this doesn't stop somebody from firing 100,000+ requests down your vulnerable web server to pull down the private keys, passwords, and other data in plain-text sitting pretty. (Ref:
https://www.cloudflarechallenge.com/heartbleed)
3) If your affected server houses any systems, control panels, other other mechanisms that customers and other users will be making use of, notify them, and force a password change. Worst case scenario, notify them, and ask them to change their password.
At the end of the day, there hasn't been any public releases of any intrusions resulting from the exploit, but that doesn't mean there won't be, especially considering that it's out in the wild at this point. There's a Windows Sysadmin somewhere in the world that's been getting quite a few good nights' sleep the last few days
.
