Keeping Your Server Secure With Unattended Upgrades

When operating servers, you’re responsible for keeping them up to date with the latest security fixes. Ubuntu comes with a mechanism that installs updates automatically so you don’t have to worry about it. Obviously, this is meant for personal servers operated by hobbyists where convenience is more important than availability. In a professional environment, you would test new packages first because seemingly innocent changes may break complex applications.

Unattended upgrades are triggered by the nightly apt cron job, /etc/cron.daily/apt, and are easy to set up. Install the following two packages to get started:

$ sudo apt-get install unattended-upgrades update-notifier-common

The update-notifier-common package is optional; it provides a mechanism for other packages to register a reboot request. Some packages like the Linux kernel require a system reboot for changes to take effect, but without update-notifier-common, automatic reboots will not work and you also won’t get a notification on login.

Once the packages are installed, you have to enable upgrades explicitly:

$ sudo dpkg-reconfigure unattended-upgrades

Select "yes" in the text menu that pops up. This will set two apt configuration properties in /etc/apt/apt.conf.d/20auto-upgrades:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

These two settings make sure that package lists are updated via apt-get update and that the /usr/bin/unattended-upgrade script is run. You can configure unattended-upgrades further through its configuration file in /etc/apt/apt.conf.d/50unattended-upgrades. The default configuration just upgrades packages – to also enable automatic reboots, you need to set the following property:

Unattended-Upgrade::Automatic-Reboot "true";

Make sure you read the comments inside the configuration file carefully; there are a few more features that you may find interesting. For example, if you have a working mail server on your system, you can have unattended-upgrades send status emails about installed packages. This is very useful so you can log into the system after an upgrade to check if it broke anything. Or you could disable automatic reboots and reboot the system manually if the status email tells you that a restart is required.

Once you’re done configuring the system, it makes sense to monitor the log files in /var/log/unattended-upgrades/ for a few days to see if everything works as intended. Usually, security fixes are published several times a week, so you won’t have to wait long to see unattended-upgrades in action.

This entry was posted in linux and tagged , , , . Bookmark the permalink.

9 Responses to Keeping Your Server Secure With Unattended Upgrades

  1. Pingback: Automatic updates with reboot for your Ubuntu sever | Kian's blog

  2. Kian Salem says:

    Thxs! I linked you in my blog:

  3. katruchu says:

    Unattended upgrades are triggered by the nightly apt cron job, /etc/cron.daily/apt, and are easy to set up.

    Thanks for the post. I have a VPS from RamNode with Ubuntu 14.04 Minimal installed on it and it was missing cron-apt. After I installed it with apt-get install cron-apt I noticed /etc/cron.daily/apt was empty so I just copied the default config from another Ubuntu 14.04 machine. It should be working now. :)

  4. wahoh says:

    Thanks for this but why does it differ so much with official doc:

    So confusing why they have so many files in that directory that are editable? Thanks!

    • wahoh says:

      To clarify I mean… why do they say edit `10periodic` but you say to edit only `20auto-upgrades` for these settings? sorry for double posting…

      • Matthias says:

        The difference actually isn’t that big. The only relevant changes they’re making in 10periodic is updating package lists and enabling unattended upgrades. In my opinion, this should be done through dpkg-reconfigure like I described above, but eventually it doesn’t matter how those two properties are set (you don’t have to edit 20auto-upgrades manually, that’s what dpkg-reconfigure does for you).

      • wahoh says:

        thanks for your reply Matthias… but from my understanding if following your way then these following settings get left out?

        APT::Periodic::Update-Package-Lists “1”;
        APT::Periodic::Download-Upgradeable-Packages “1”;
        APT::Periodic::AutocleanInterval “7”;
        APT::Periodic::Unattended-Upgrade “1”;

        or, can we add these settings to `20auto-upgrades` instead of `10periodic`

        thanks again for your time —

      • Matthias says:

        The following two settings are not left out:

        APT::Periodic::Update-Package-Lists “1”;
        APT::Periodic::Unattended-Upgrade “1”;

        They are written by the dpkg-reconfigure command to 20auto-upgrades, like I wrote in the article. The other two you listed are not important for the security upgrade part unattended-upgrades – my setup works fine without them. They just run “apt-get autoclean” once a week and “apt-get upgrade –download-only” daily. You can set them if you want that functionality or just to be sure though :)

  5. Pingback: Detecting Security Upgrades on Ubuntu | Matthias Friedrich's Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s