It is crucial to regularly update your servers.

Many hacks happen because servers aren't patched with the latest security updates.

In this guide, I'll walk you through both manual updates and setting up automatic security updates for your Linux server.

Preparation

To make the most of this guide, ensure you have a properly set up Ubuntu server.

👉
Check out my guide on preparing Ubuntu servers to ensure your server is properly set up.

If you don’t have one, consider getting a free VPS server to follow along.

Manual Updates

First, let’s learn how to update manually.

It’s just two simple commands.

Begin by updating the package list on your server with the following command:

sudo apt update

This command prompts the server to scan the server’s packages and identify those requiring updates, including security patches.

Once this is done, run the following command to update your server’s packages that need updating:

sudo apt upgrade

The server may ask for confirmation by displaying a prompt that requires a yes or no response. Make sure to type yes.

The updating process may take a while, depending on the number of updates needed.

Automatic Security Updates

While updating manually is an option, it’s easy to forget or run out of time, which is why automatic security updates ensure your servers stay patched.

This is crucial for keeping your servers secure.

Installing Unattended Upgrades

Unattended Upgrades automatically installs security updates and patches without needing our input, so we need to install the unattended-upgrades package.

Unattended Upgrades should be installed and enabled by default on Ubuntu servers. Use the following command to check and install it:

sudo apt install unattended-upgrades

Now, we need to run just one more command:

sudo dpkg-reconfigure unattended-upgrades

A pop-up window will appear, asking you if you want to automatically download and install stable updates.

Choose <Yes> and press the ENTER key.

When you do this, Unattended Upgrades changed the value from 0 to 1 in the /etc/apt/apt.conf.d/20auto-upgrades file:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

The number indicates how often Unattended Upgrades will run in days.

A value of 1 will run Unattended Upgrades every day, while a value of 0 will disable Unattended Upgrades.

Considerations

Now that we have automatic security updates in place, there are some important considerations I’d like to share with you.

Firstly, Unattended Upgrades primarily deals with security updates.

You’ll need to manually check for other updates regularly, perhaps weekly.

Also, be aware that Unattended Upgrades might automatically reboot your server for certain updates, which could be disruptive on a production server.

I recommend to manually reboot during low-traffic periods or after notifying users of downtime.

You can customize Unattended Upgrades to either disable automatic reboots or reschedule them for less disruptive times.

Lastly, while Unattended Upgrades can be set to update all packages, not just security ones, I don’t recommend this option, as some updates may break your server.

Configuration

Unattended Upgrades has its settings in a file called 50unattended-upgrades under the /etc/apt/apt.conf.d/ directory.

Open this file in your preferred editor and take a look:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

As you can see from this block of code, Unattended Upgrades handles only security updates.

If you want it to handle non-security updates and update other installed packages, you can uncomment the ${distro_id}:${distro_codename}-updates line.

If you only want Unattended Upgrades to handle security updates, as I recommend, ensure that only security origins are allowed and that all others are commented out, like its default behavior.

You may also want to configure whether Unattended Upgrades should reboot the server if a security update requires a reboot to be applied.

You can specify a time to reboot or disable this feature completely.

To control if Unattended Upgrades should reboot your server automatically, look for the line Unattended-Upgrade::Automatic-Reboot in the configuration file.

Set this to "false" to prevent automatic reboots after updates.

If you prefer automatic reboots, change it to "true".

Additionally, you can schedule a specific time for these reboots.

For this, find the line Unattended-Upgrade::Automatic-Reboot-Time and set it to your desired time, like "04:00" for a reboot at 4 AM.

Email Alerts

There is one more thing to be aware of.

Sometimes, Unattended Upgrades fails to install a security update automatically, requiring a manual update.

You can specify an email address to which Unattended Upgrades should send an email in case this happens.

💡
Your server needs to be configured to send emails, and this can be done by setting up Postfix for external SMTP relay to ensure you receive alerts.

Scroll down the file until you find the line Unattended-Upgrade::Mail ""; and add the email address you want to send a notification to inside the two double quotation marks.

Then, scroll down a little further until you find the line Unattended-Upgrade::MailReport "on-change"; and change it from "on-change" to "only-on-error" to receive a notification only if a security update fails to be installed.

Don’t forget to uncomment these two lines. They should look like this:

Unattended-Upgrade::Mail "hello@ivansalloum.com";
Unattended-Upgrade::MailReport "only-on-error";

Once you're done configuring Unattended Upgrades, save and close the file.

Now, ensure that the mailutils package is installed on your server, as it provides the mail command used by Unattended Upgrades to send emails.

You can install it with the following command:

sudo apt install mailutils

With that, we've completed the configuration. Now, let's test our setup.

Testing Our Setup

To verify that your configuration is working correctly, you can manually trigger an update by executing the following command:

sudo unattended-upgrade -d

You can also test your setup while setting the Unattended-Upgrade::MailReport variable to "always" to verify if your server can send emails.

Conclusion and Final Thoughts

Great job reaching the end!

In this guide, you've learned how to manually update and set up automatic security updates.

🙆‍♂️
There's more to securing Linux servers. I’ve created a comprehensive guide on server security and hardening, where I share the exact security measures I implement on my own servers.

If you found value in this guide or have any questions or feedback, please don't hesitate to share your thoughts in the discussion section.

Your input is greatly appreciated, and you can also contact me directly if you prefer.