Updated Thursday, March 9, 2023, by HackerSploit
This guide was written for Debian. Other distributions are available:
Debian
Create a Linode account to try this guide with a $100 credit.
This credit will be applied to any valid services used during your first 60 days.Sign Up
Keeping your system up-to-date with the latest packages and security updates can be a tedious task. Most users forget to do it, leaving them vulnerable to countless threats. Automate security (and other package) updates with the utility Unattended Upgrades on Debian.
Before You Begin
- Complete the Getting Started guide.
- Follow the Setting Up and Securing a Compute Instance guide to create a standard user account, and harden SSH access.
- Log into your Linode via SSH and update and upgrade.
sudo apt update && sudo apt upgrade
Note
This guide is written for a non-root user. Commands that require elevated privileges are prefixed with sudo. If you’re not familiar with the sudo command, see our Users and Groups guide.
Install Unattended Upgrades
You can set up automated security updates on Debian by installing a helpful utility called unattended-upgrades.
- Install it running the following command:
sudo apt install unattended-upgrades - After the installation completes, you can enable and start the
unattended-upgradesservice by running the following commands:sudo systemctl enable unattended-upgradessudo systemctl start unattended-upgrades
This ensures that the service runs on system startup and is persistent throughout. - You now need to make changes to the configuration file. The default configuration file can be found here at
/etc/apt/apt.conf.d/50unattended-upgrades. Open it with the text editor of your choice.
Note
The unattended-upgrades package ignores lines that start with //, as that line is considered to be a comment. Therefore, if you want a repository to update automatically, you need to remove // from that line.
- In our example, remove
//from the “security” line if it’s there,"origin=Debian,codename=${distro_codename},label=Debian-Security";. This section should look like the following:
...
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// Software will be the latest available for the named release,
// but the Debian release itself will not be automatically upgraded.
// "origin=Debian,codename=${distro_codename}-updates";
// "origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};
...Enabling Automatic Upgrades
To enable automatic updates create a new auto-upgrades file: /etc/apt/apt.conf.d/20auto-upgrades using text editor of your choice.
This file allows you to define how often the auto updates take place.File: /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::AutocleanInterval "7"; |
- Update-Package-Lists:
1enables auto-update,0disables. - Unattended-Upgrade:
1enables auto-upgrade,0disables. - AutocleanInterval: Enables auto clean packages for
Xdays. The above configuration displays 7 days- For example, APT::Periodic::AutocleanInterval “7”; means that the system clears the download archive every seven days.
Testing The Configuration
You can perform a dry run to test the configuration. The dry run command runs a test update but no actual changes take place.
You can run the dry run test by using the command:
sudo unattended-upgrades --dry-run --debug
This page was originally published on Thursday, October 22, 2020.
