Subscribe

Newsletter

Subscribe to my newsletter for the latest updates. 👇

Automating Security Updates on Linux Servers

It is crucial to regularly update your servers.

Many hacks happen because servers aren’t patched with the latest security updates.

In this guide, I’ll walk you through both manual updates and setting up automatic security updates for your Linux server, as well as how to enable the Canonical Livepatch Service to patch the Linux kernel without rebooting.

Preparation

To make the most of this guide, ensure you have a properly set up Ubuntu server.

If you don’t have one, consider getting a free VPS server to follow along.

Following along on your own server will enhance your understanding and practical experience.

Manual Updates

First, let’s learn how to update manually.

It’s just two simple commands.

Begin by updating the package list on your server with the following command:

sudo apt update

This command prompts the server to scan the server’s packages and identify those requiring updates, including security patches.

Once this is done, run the following command to update your server’s packages that need updating:

sudo apt upgrade

The server may ask for confirmation by displaying a prompt that requires a yes or no response.

Make sure to type yes.

The updating process may take a while, depending on the number of updates needed.

Automatic Security Updates

While updating manually is an option, it’s easy to forget or run out of time, which is why automatic security updates ensure your servers stay patched.

This is crucial for keeping your servers secure.

Installing Unattended Upgrades

Unattended Upgrades automatically installs security updates and patches without needing our input, so we need to install the unattended-upgrades package.

Use the following command to install it:

sudo apt install unattended-upgrades

Now, we need to run just one more command:

sudo dpkg-reconfigure unattended-upgrades

A pop-up window will appear, asking you if you want to automatically download and install stable updates, as shown in the picture below.

pop-up-window

Choose <Yes> and press the ENTER key.

When you do this, Unattended Upgrades changed the value from 0 to 1 in the /etc/apt/apt.conf.d/20auto-upgrades file:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

The number indicates how often Unattended Upgrades will run in days.

A value of 1 will run Unattended Upgrades every day, while a value of 0 will disable Unattended Upgrades.

Considerations

Now that we have automatic security updates in place, there are some important considerations I’d like to share with you.

Firstly, Unattended Upgrades primarily deals with security updates.

You’ll need to manually check for other updates regularly, perhaps weekly.

Also, be aware that Unattended Upgrades might automatically reboot your server for certain updates, which could be disruptive on a production server.

I recommend to manually reboot during low-traffic periods or after notifying users of downtime.

You can customize Unattended Upgrades to either disable automatic reboots or reschedule them for less disruptive times.

Lastly, while Unattended Upgrades can be set to update all packages, not just security ones, I don’t recommend this option, as some updates may break your server.

Now, let’s learn how to configure Unattended Upgrades.

Configuring Unattended Upgrades

Unattended Upgrades has its settings in a file called 50unattended-upgrades under the /etc/apt/apt.conf.d/ directory.

Open this file in your preferred editor and take a look:

...
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};
...

As you can see from this block of code, Unattended Upgrades handles only security updates.

If you want it to handle non-security updates and update other installed packages, you can uncomment the ${distro_id}:${distro_codename}-updates line.

If you only want Unattended Upgrades to handle security updates, as I recommend, ensure that only security origins are allowed and that all others are commented out, like its default behavior.

You may also want to configure whether Unattended Upgrades should reboot the server if a security update requires a reboot to be applied.

You can specify a time to reboot or disable this feature completely.

To control if Unattended Upgrades should reboot your server automatically, look for the line Unattended-Upgrade::Automatic-Reboot in the configuration file.

Set this to "false" to prevent automatic reboots after updates.

If you prefer automatic reboots, change it to "true".

Additionally, you can schedule a specific time for these reboots.

For this, find the line Unattended-Upgrade::Automatic-Reboot-Time and set it to your desired time, like "04:00" for a reboot at 4 AM.

Email Alerts

There is one more thing to be aware of.

Sometimes, Unattended Upgrades fails to install a security update automatically, requiring a manual update.

You can specify an email address to which Unattended Upgrades should send an email in case this happens.

Note: Your server should be able to send emails. I’ve written a detailed guide on how to configure Postfix to use an external SMTP relay for sending emails.

Scroll down the file until you find the line Unattended-Upgrade::Mail ""; and add the email address you want to send a notification to inside the two double quotation marks.

Then, scroll down a little further until you find the line Unattended-Upgrade::MailReport "on-change"; and change it from "on-change" to "only-on-error" to receive a notification only if a security update fails to be installed.

Don’t forget to uncomment these two lines. They should look like this:

Unattended-Upgrade::Mail "hello@ivansalloum.com";
Unattended-Upgrade::MailReport "only-on-error";

Once you’re done configuring Unattended Upgrades, save and close the file.

Now, ensure that the mailutils package is installed on your server, as it provides the mail command used by Unattended Upgrades to send emails.

You can install it with the following command:

sudo apt install mailutils

With that, we’ve completed the configuration.

Now, let’s test our setup.

Testing Our Setup

To verify that your configuration is working correctly, you can manually trigger an update by executing the following command:

sudo unattended-upgrade -d

You can also test your setup while setting the Unattended-Upgrade::MailReport variable to "always" to verify if your server can send emails.

Canonical Livepatch Service

The Canonical Livepatch Service, also known as Livepatch, is a service provided by Canonical (the company behind Ubuntu).

It enables patches for the currently running Linux kernel to be applied live.

This means the patch becomes active immediately without the need to reboot the server.

This is particularly beneficial for production environments that need to run without any downtime.

Considerations

Before we activate Livepatch on our server, there is some important information I’d like to share with you.

Livepatch is designed to fix serious security issues in the Linux kernel.

However, due to certain limitations, some parts of the kernel cannot be patched while the server is running.

In such cases, a traditional kernel upgrade and reboot might still be required.

There are a number of software components that can require you to reboot your server as well.

And the crucial point to note is that enabling Livepatch does not enable automatic security updates.

This is clearly mentioned in the Livepatch documentation, and Canonical itself recommends using Unattended Upgrades for automatic security updates, as we did earlier.

Let me simplify this for you:

  • Unattended Upgrades runs once a day and, by default, includes security updates, including kernel updates that can’t be livepatched.
  • Livepatch runs multiple times a day but only patches high and critical kernel vulnerabilities.

Now, let’s activate Livepatch on our server.

Activating

To use Livepatch, an account with Ubuntu Pro is necessary.

Additionally, each account is limited to using Livepatch on five machines.

It doesn’t matter whether it is a desktop computer, a server, or a virtual installation of Ubuntu (a virtual machine).

A paid license is required for more machines.

Now, go to the Ubuntu Pro website and click on the Get Ubuntu Pro Now button.

You will be asked to specify who will use this subscription.

Choose Myself and click on Register to create an account.

Once you are finished, go to the dashboard, which should look something like this:

ubuntu-pro-dashboard

Now, copy your token and run this command on your server:

sudo pro attach <token>
Output
...
This machine is now attached to 'Ubuntu Pro - free personal subscription'

SERVICE          ENTITLED  STATUS       DESCRIPTION
anbox-cloud      yes       disabled     ...
esm-apps         yes       enabled      ...
esm-infra        yes       enabled      ...
fips-preview     yes       disabled     ...
fips-updates     yes       disabled     ...
livepatch        yes       enabled      Canonical Livepatch service
realtime-kernel* yes       disabled     ...
usg              yes       disabled     ...

 * Service has variants
...

Livepatch is now enabled on our server.

You can check the Livepatch status at any time using this command:

sudo canonical-livepatch status --verbose

For more details, I suggest referring to the Livepatch documentation.

Conclusion and Final Thoughts

Great job reaching the end!

In this guide, you’ve learned how to manually update, set up automatic security updates, and activate the Canonical Livepatch Service.

However, there’s more to securing Linux servers — advanced measures that I’ve covered comprehensively in my complete server security and hardening guide.

It’s a collection of all security and hardening measures with links to detailed guides for each.

By following these guides one by one, your server will be thoroughly secured.

If you found value in this guide or have any questions or feedback, please don’t hesitate to share your thoughts in the comments section below.

Your input is greatly appreciated, and you can also contact me directly if you prefer.

Tags

Newsletter

Subscribe to my newsletter for the latest updates 👇

Leave a Reply

Your email address will not be published. Required fields are marked *

Related