DEV Community

Cover image for Enabling Automatic Unattended Security Updates on Ubuntu and Debian
Mohammad Tomaraei
Mohammad Tomaraei

Posted on • Originally published at tomaraei.com

Enabling Automatic Unattended Security Updates on Ubuntu and Debian

#linux #security #ubuntu #sysadmin

Staying up to date with the latest security patches is a crucial step to avoid getting hacked.

Google recently published an article showcasing a proof-of-concept attack based on the famous Spectre vulnerability, just to emphasize the possible consequences of leaving affected systems unpatched.

There is a constant flow of new vulnerabilities being discovered and, as a result, new security updates are getting published almost every day.

Luckily, this process has been made simple for Linux users running Debian distributions like Ubuntu. The unattended-upgrades package serves exactly what its name suggests, providing automatic unattended security updates.

Install the unattended upgrade utility:

sudo apt install unattended-upgrades apt-listchanges
Enter fullscreen mode Exit fullscreen mode

Reconfigure the package to ensure it will automatically perform updates (Choose <YES>):

sudo dpkg-reconfigure -plow unattended-upgrades
Enter fullscreen mode Exit fullscreen mode

Check /etc/apt/apt.conf.d/20auto-upgrades and make sure it has the following content:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
Enter fullscreen mode Exit fullscreen mode

For more information regarding these variables take a look at this guide.

Check /etc/apt/apt.conf.d/50unattended-upgrades and make sure only lines corresponding to security packages are uncommented:

"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
Enter fullscreen mode Exit fullscreen mode

If you would like to exclude certain packages from being updated, list them in the same file under:

Unattended-Upgrade::Package-Blacklist {
  "docker";
  "nginx";
};
Enter fullscreen mode Exit fullscreen mode

To get a list of security packages that are ready to be upgraded:

apt-get upgrade -s | grep -i security
Enter fullscreen mode Exit fullscreen mode

To see what unattended-upgrade will do when it runs:

sudo unattended-upgrades --dry-run --debug
Enter fullscreen mode Exit fullscreen mode

To manually update the packages:

sudo unattended-upgrade
Enter fullscreen mode Exit fullscreen mode

To get the overall number of packages with available updates:

/usr/lib/update-notifier/apt-check --human-readable
Enter fullscreen mode Exit fullscreen mode

This post was originally published on my blog where I write all about tech.

Top comments (0)

Read next

yarensari profile image

Ubuntu 22.04’e MinIO Server Kurulumu

Yaren Sarı -

aymanepraxe profile image

Mastering JWT Security

aymane aallaoui -

lnahrf profile image

Are hackers watching your screen right now?

Lev Nahar -

archerallstars profile image

Install Cloudflare WARP on any Linux Distro, Thanks to Distrobox!

Archer Allstars -