LowEndBox

Hosting Websites on Bare Minimum VPS/Dedicated Servers

How to Configure Ubuntu VPS for Automatic Security Updates

Tags: , , , , , Date/Time: February 27, 2016 @ 6:56 pm, by Jarland Donnell

Security risks are discovered each and every day. How can you know that your VPS is protected against the latest threats?

One of the best methods of keeping your server safe is to implement automatic updates within Ubuntu.

At first glance, this could seem like a difficult task. If you have several virtual private servers under your supervision, the task can seem unmanageable.

As a result, we’ve created an easy to use guide for setting up unattended-upgrades and automatic updates on your Ubuntu VPS.

Getting Familiar with Unattended-Upgrades on Ubuntu

The unattended-upgrades package can be used to automatically install package updates. Administrators can choose between updating all packages on a system or they can elect to install security updates only.

To get started, install the package by entering the following in a terminal:

> sudo apt-get install unattended-upgrades

Once the installation is complete, you must enable it. Select Yes in the interactive menu then type:

> sudo dpkg-reconfigure -plow unattended-upgrades

To configure unattended-upgrades, edit /etc/apt/apt.conf.d/50unattended-upgrades and adjust the following to fit your needs:

/etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
//”${distro_id} stable”;
“${distro_id} ${distro_codename}-security”;
//”${distro_id} ${distro_codename}-updates”;
};

In the above example, we are only installing the security updates.

The “//” infront of the “${distro_id} denotes that the line is commented out. When you remove the “//” the process becomes active.

What About Blacklisting Specific Update Packages?

Certain packages can be blacklisted which prevents the automatic update process

from occurring. To blacklist a package, add it to the list:

Unattended-Upgrade::Package-Blacklist {
//  “vim”;
//  “libc6”;
//  “libc6-dev”;
//  “libc6-i686”;
};

You may need to remove the “//” from the line so that system doesn’t see the line as a comment as noted above.

Configuring Automatic Updates on your Ubuntu VPS

To enable automatic updates, you will need to edit /etc/apt/apt.conf.d/10periodic and set the appropriate apt configuration options.

The configuration below will allow your system to update the package list, downloads, and each of the installs available on your system.

The following commands will check for updates every day while cleaning out the local download archive each week.

APT::Periodic::Update-Package-Lists “1”;
APT::Periodic::Download-Upgradeable-Packages “1”;
APT::Periodic::AutocleanInterval “7”;
APT::Periodic::Unattended-Upgrade “1”;

The results of unattended-upgrades will be logged to /var/log/unattended-upgrades.

Getting VPS Update Notifications via Email

When you setup Ubuntu to automatically update, it’s a good practice to have the system dispatch an email when an update is performed.

Assuming you have PostFix or another MTA installed, you’d do the following:

Go to Unattended-Upgrade::Mail in /etc/apt/apt.conf.d/50unattended-upgrades and add the following line at the end of the file:

Unattended-Upgrade::Mail “whatever@yourdomain.com”;

Did this tutorial help you out? Please let us know in the comments sections below.

(Tutorial written by a valued contributor)

10 Comments

  1. nice post, i will use

    February 28, 2016 @ 1:04 pm | Reply
  2. Igor:

    Debian please.

    February 29, 2016 @ 9:21 am | Reply
    • Nick L:

      Debian is the same way.

      Just apt-get install unattended-upgrades
      dpkg-reconfigure unattended-upgrades and select yes
      and that’s it – it’s automatically setup for you

      February 29, 2016 @ 12:56 pm | Reply
  3. SyedTech:

    Nice post.
    I use CentOS. Is there a way to do such task in CentOS.

    February 29, 2016 @ 10:36 pm | Reply
    • mike:

      Yeah… reformat and put on Ubuntu.

      March 3, 2016 @ 2:50 am | Reply
  4. 阿福:

    What about REHL based OS ,like CentOS

    March 2, 2016 @ 11:09 am | Reply
  5. mike:

    Yeah… reformat and put on Ubuntu. :)

    March 3, 2016 @ 2:50 am | Reply
  6. Mike:

    What about the good old “apt-get update && apt-get upgrade -y” added to crontab?

    March 6, 2016 @ 7:37 pm | Reply
    • aglodek:

      That will do the job, too. Except for the fine grain config and email notification, that is ;)

      Great, useful tutorial, thanks Jar :)

      March 26, 2016 @ 9:09 pm | Reply
  7. Thank you so much for the easy-to-follow instructions. It really helped me a lot to learn about Ubuntu.

    June 12, 2016 @ 10:37 am | Reply
  8. Great post! thank you for the tutorial bro :)

    July 17, 2016 @ 12:53 pm | Reply
  9. Great post! thanks for the tutorial bro :)

    July 17, 2016 @ 12:54 pm | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Quoting webhostingtalk.com URL seems to get binned consistently here, but I do peek into the spam box frequently to publish those comments.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *