Setup Automatic Security Updates on Ubuntu 17.04 | 17.10

When managing Ubuntu servers your #1 priority should be to install any and all security updates. Linux systems, including Ubuntu may be known as secure, but there’s always going to be vulnerabilities.

These vulnerabilities are patched regularly via security updates from Ubuntu repositories. If you don’t want bad guys to slip through the cracks, you may want to enable automatic security updates on your Ubuntu servers.

This brief tutorial shows students and new users how to configure Ubuntu 17.04 | 17.10 servers to receive security updates automatically. After configuring, the Ubuntu servers will automatically download and apply all security updates without user intervention.

To make this work, follow the guide below:

Step 1: Install Ubuntu Unattended Upgrade Package

To enable Ubuntu to automatically install security updates always, you must install its unattended upgrade packages. To install run the commands below.

sudo apt update
sudo apt install unattended-upgrades

Step 2: Configure Ubuntu

Now that the package is installed, run the commands below to open the unattended upgrade configuration file. The lines in the file apply each update channel. Security, regular software update and patches, backports and proposed packages have their own channels.

To only install the security update automatically, you must comment // out all the other channels so they don’t install new updates without you knowing. On a critical production server, you don’t want your packages to upgrade automatically.. so make sure to comment other channels that are not security.

To open the configuration file, run the commands below.

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

The content of the file should look like this:

Unattended-Upgrade::Allowed-Origins {
 //      "${distro_id}:${distro_codename}";
         "${distro_id}:${distro_codename}-security";
         // Extended Security Maintenance; doesn't necessarily exist for
         // every release and this system may not have it installed, but if
         // available, the policy for updates is such that unattended-upgrades
         // should also install from here by default.
 //      "${distro_id}ESM:${distro_codename}";
 //      "${distro_id}:${distro_codename}-updates";
 //      "${distro_id}:${distro_codename}-proposed";
 //      "${distro_id}:${distro_codename}-backports";
 };

Comment out all the other channels and only keep security.

In the same file, you can choose to block packages that should not be upgraded unattended. You can add those packages on each line as shown below

Unattended-Upgrade::Package-Blacklist {
         "vim";
         "nginx";
         "mariadb-server";
 //      "libc6";
 //      "libc6-dev";
 //      "libc6-i686";
 };

Save the file and exit

Step 3: Enable Auto Updates

Now that the file is configured, run the commands below to open the unattended upgrades parameters.

sudo nano /etc/apt/apt.conf.d/20auto-upgrades

Then edit the lines below with their respective values.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "1";

Save the file and exit.

Restart and you’re done.

This is how to configure Ubuntu servers to automatically install and apply security updates

Enjoy!

You may also like the post below:

Migrate WordPress Blogs from Nginx to Apache2 on Ubuntu 17.04 | 17.10