Configure automatic security updates on Ubuntu (How to secure a web server – Part 3)

One of the key aspects to security on Linux systems is the regular updates the community makes to the distribution and packages. A lot of those updates are meant to improve security and fix potential vulnerabilities. For this reason, it’s important to keep your system up to date, especially on a publicly available server. But doing it manually would be a time consuming process, it would involve regularly login into your server and running updates. Instead, it’s much easier to configure a tool that will do it automatically for you. In this article we’ll learn how to enable automatic security updates on Ubuntu, using unattended-upgrades.

For this tutorial I’ll be using a $5 Digital Ocean Droplet. Be sure to use our free $10 credit if you want to set up your own VPS with Digital Ocean!

Also read the previous articles in this web server security series, where we learn how to improve SSH security, and use UFW as a firewall.

Install unattended-upgrades

unattended-upgrades is a tool that will automatically check for upgrades on the packages installed on your machine, and install them if needed. It can be configured to install any kind of updates, but in this article we’ll focus on security updates only.

To install the package, run the following command. Note that it may be pre-installed with your distribution.

Configure automatic updates

Basic config

Run the command:

It will ask you if you want to enable automatic updates, select Yes. It will then ask you what kind of automatic updates to enable. Updates have an origin, codename and label that can be used to filter the type of updates you want unattended-upgrades to install. The default option, shown below, will enable security updates only.

The previous dpkg-reconfigure command will generate and populate the following files:

  • /etc/apt/apt.conf.d/20auto-upgrades
  • /etc/apt/apt.conf.d/50unattended-upgrades

Feel free to take a look at the content of those files and change options if you want to. Be sure to create a backup copy of the files first in case you make any breaking change!

Enable extra logging for automatic upgrades

It can be useful to make unattended-upgrades produce more log information, for example if an update that was installed automatically introduces a bug in one of your applications, you could look at the log file, and see that an update was installed recently.

To enable this feature, add the following line to /etc/apt/apt.conf/20auto-upgrades:

The file should now be:

Location of the log file

The log file generated by unattended-upgrades is located in /var/log/unattended-upgrades/unattended-upgrades.log.

If it is enabled correctly, it should contain entries for each times the package checked for new upgrades (and installed them if any was available). If you just enabled it, you may have to wait for it runs for the first time before the log file is populated.

Conclusion

As we’ve seen, enabling automatic security updates is really simple, and can save you a lot of time and worries in the long run. It is a must have if you run any kind or application connected to the Internet.

Make sure to read our other articles in this web server security series:

Also check this Ubuntu help page for more ways to perform automatic security updates.

2 Comments on Configure automatic security updates on Ubuntu (How to secure a web server – Part 3)

  1. Thank you for a good tutorial. I followed and I think that there is a problem with this command “sudo dpkg-reconfigure –priority=low unattended-upgrades” . I just check on wiki, https://wiki.debian.org/UnattendedUpgrades and I saw that the command is this “sudo dpkg-reconfigure -plow unattended-upgrades”. Now with this command the file will be generate.
    Check it out

%d bloggers like this: