When managing Ubuntu servers your #1 priority should be to install any and all security updates. Linux systems, including Ubuntu may be known as secure, but there’s always going to be vulnerabilities.
These vulnerabilities are patched regularly via security updates from Ubuntu repositories. If you don’t want bad guys to slip through the cracks, you may want to enable automatic security updates on your Ubuntu servers.
This brief tutorial shows students and new users how to configure Ubuntu 17.04 | 17.10 servers to receive security updates automatically. After configuring, the Ubuntu servers will automatically download and apply all security updates without user intervention.
To make this work, follow the guide below:
Step 1: Install Ubuntu Unattended Upgrade Package
To enable Ubuntu to automatically install security updates always, you must install its unattended upgrade packages. To install run the commands below.
sudo apt update sudo apt install unattended-upgrades
Step 2: Configure Ubuntu
Now that the package is installed, run the commands below to open the unattended upgrade configuration file. The lines in the file apply each update channel. Security, regular software update and patches, backports and proposed packages have their own channels.
To only install the security update automatically, you must comment // out all the other channels so they don’t install new updates without you knowing. On a critical production server, you don’t want your packages to upgrade automatically.. so make sure to comment other channels that are not security.
To open the configuration file, run the commands below.
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
The content of the file should look like this:
Unattended-Upgrade::Allowed-Origins {
// "${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
// "${distro_id}ESM:${distro_codename}";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
Comment out all the other channels and only keep security.
In the same file, you can choose to block packages that should not be upgraded unattended. You can add those packages on each line as shown below
Unattended-Upgrade::Package-Blacklist {
"vim";
"nginx";
"mariadb-server";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
Save the file and exit
Step 3: Enable Auto Updates
Now that the file is configured, run the commands below to open the unattended upgrades parameters.
sudo nano /etc/apt/apt.conf.d/20auto-upgrades
Then edit the lines below with their respective values.
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::Download-Upgradeable-Packages "1";
Save the file and exit.
Restart and you’re done.
This is how to configure Ubuntu servers to automatically install and apply security updates
Enjoy!
You may also like the post below: