Protect Your Server Againt The Shellshock Bug

Step 1: Check Your System for the Vulnerability

On each of your systems that run Bash, you may check for Shellshock vulnerability by running the following command at the bash prompt:

$ env VAR='() { :;}; echo Your bash is vulnerable!' bash -c "echo Bash Tested"

If your bash is vulnerable you will see "Your bash is Vulnerable" followed by the "Bash Tested" line.

If the test is positive this is a very large concern. Suffice to say there are hundread of ways for an attacker to manipulate this particular flaw, however one of the most concerning is the web server header attack. Simply modifying the headers that someone uses to GET or POST to you server they could be running code on your server. This makes hearbleed look like a minor concern.

If you have the vulnerability you need to patch it as soon as possible.

This is not as big a concern for personal computers, since you do not run a internet accessible web server. This does not mean you should let it go unpatched, but you can wait for your operating system to release the official patch.

Step 2: Patch Your System and Retest the Vulnerability

Once you get a positive result. You will need to resolve the issue, you can do this in one of two ways.

You can use the package manager that came with your OS such as yum or apt-get.

Simply run these commands:

for Ubuntu or Debian:

$ sudo apt-get upgrade bash

or for centos, redhat, or Amazon Linux:

$ sudo yum update bash

or if those do not work you can always install and upgrade from source.

The commands to compile and replace your copy of bash follow. These are confirmed on a Linux Ubuntu system with build-essential meta package installed. It may vary on other OSs.


$ cd; mkdir src; cd src

$ wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz

# download all patches

$ for i in $(seq -f "%03g" 0 26); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done

$ tar zxvf bash-4.3.tar.gz

$ cd bash-4.3

# apply all patches

$ for i in $(seq -f "%03g" 0 26);do patch -p0 < ../bash43-$i; done

# build and install

$ ./configure --prefix=/ && make

# if you see no errors, continue

$ sudo make install

$ ls -l $(which bash) # should show a file with current date

# Rerun the test; if it passes, you can remove the source

$ cd ~; rm -r src 

Once patched you will need to test again to make sure it resolved the issue.

$ env VAR='() { :;}; echo Your bash is vulnerable!' bash -c "echo Bash Tested"

you should only see "Bash Tested" output in the terminal window.

Happy patching!