Comment Update in haste? (Score 1) 74
Also, I have SSH locked down to specific IP address, no Web service of any kind -- indeed, it's a "mostly closed" system with public-facing holes only for SSH (limited by tcpwrappers), SMTP (not SMTPS or SUBMISSION), DOMAIN (severely rate-limited and with blocks for ANY), NTP, and TRACEROUTE. This effectively blocks any access to heartbleed.
When the first alerts came out, the first thing I did was run the web-based exploit detectors. They didn't get through. At that time, I reviewed the services not blocked by the firewall, and to the best of my knowledge, none of the services I list above use the Secure Shell library. So I satisfied myself that my mail server was tight.
Everything else on my network is behind the same firewall, using NAT to gain access to the outside world. There is no open path to my desktop computers or internal-only servers.
I'm very much of the school "if it ain't broke, don't fix it in a hurry." In my case, I'm rebuilding servers (some celebrating 10 years of service or more) with the latest proven software one at a time, with the mail server being last in the chain. I'm replacing hardware as well as software, one by one. (I'm probably going to update the old hardware so I have standbys if the new hardware experiences infant mortality, but that's a detail.)
So, in come cases carefully researched, there isn't any need to take action against Heartbleed, because the exploits are blocked upstream.