Configuring Automated Security Updates on Debian

Select distribution:
Traducciones al Español
Estamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Create a Linode account to try this guide with a $ credit.
This credit will be applied to any valid services used during your first  days.

Keeping your system up-to-date with the latest packages and security updates can be a tedious task. Most users forget to do it, leaving them vulnerable to countless threats. Automate security (and other package) updates with the utility Unattended Upgrades on Debian.

Before You Begin

  1. Complete the Getting Started guide.

  2. Follow the Setting Up and Securing a Compute Instance guide to create a standard user account, and harden SSH access.

  3. Log into your Linode via SSH and update and upgrade.

    sudo apt update && sudo apt upgrade
    
Note
This guide is written for a non-root user. Commands that require elevated privileges are prefixed with sudo. If you’re not familiar with the sudo command, see our Users and Groups guide.

Install Unattended Upgrades

You can set up automated security updates on Debian by installing a helpful utility called unattended-upgrades.

  1. Install it running the following command:

    sudo apt install unattended-upgrades
    
  2. After the installation completes, you can enable and start the unattended-upgrades service by running the following commands:

    sudo systemctl enable unattended-upgrades
    
    sudo systemctl start unattended-upgrades
    

    This ensures that the service runs on system startup and is persistent throughout.

  3. You now need to make changes to the configuration file. The default configuration file can be found here at /etc/apt/apt.conf.d/50unattended-upgrades. Open it with the text editor of your choice.

Note
The unattended-upgrades package ignores lines that start with //, as that line is considered to be a comment. Therefore, if you want a repository to update automatically, you need to remove // from that line.
  1. In our example, remove // from the “security” line if it’s there, "origin=Debian,codename=${distro_codename},label=Debian-Security";. This section should look like the following:

    File: /etc/apt/apt.conf.d/50unattended-upgrades
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    
    ...
    
    Unattended-Upgrade::Origins-Pattern {
            // Codename based matching:
            // This will follow the migration of a release through different
            // archives (e.g. from testing to stable and later oldstable).
            // Software will be the latest available for the named release,
            // but the Debian release itself will not be automatically upgraded.
    //      "origin=Debian,codename=${distro_codename}-updates";
    //      "origin=Debian,codename=${distro_codename}-proposed-updates";
            "origin=Debian,codename=${distro_codename},label=Debian";
            "origin=Debian,codename=${distro_codename},label=Debian-Security";
    
            // Archive or Suite based matching:
            // Note that this will silently match a different release after
            // migration to the specified archive (e.g. testing becomes the
            // new stable).
    //      "o=Debian,a=stable";
    //      "o=Debian,a=stable-updates";
    //      "o=Debian,a=proposed-updates";
    //      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
    };
    
    ...

Blacklisting Packages

The Unattended-Upgrade::Package-Blacklist section of the configuration file allows you to block upgrades for specific packages.

To block upgrades for specific packages, add the desired package name to the list. In this example, add “apache2” and “vim”:

File: /etc/apt/apt.conf.d/50unattended-upgrades
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
...

Unattended-Upgrade::Package-Blacklist {
    // The following matches all packages starting with linux-
//  "linux-";
    "apache2";
    "vim";
    // Use $ to explicitely define the end of a package name. Without
    // the $, "libc6" would match all of them.
//  "libc6$";
//  "libc6-dev$";
//  "libc6-i686$";

    // Special characters need escaping
//  "libstdc\+\+6$";

    // The following matches packages like xen-system-amd64, xen-utils-4.1,
    // xenstore-utils and libxenstore3.0
//  "(lib)?xen(store)?";

    // For more information about Python regular expressions, see
    // https://docs.python.org/3/howto/regex.html
};

...

Deleting Dependencies

You can explicitly set up the unattended-upgrades service to remove unused dependencies by changing the Remove-Unused-Kernel-Packages, Remove-New-Unused-Dependencies, and Remove-Unused-Dependencies options to true. Remember to remove // to uncomment these lines.

File: /etc/apt/apt.conf.d/50unattended-upgrades
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
...

// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

...

Enabling Automatic Upgrades

To enable automatic updates create a new auto-upgrades file: /etc/apt/apt.conf.d/20auto-upgrades using text editor of your choice.

This file allows you to define how often the auto updates take place.

File: /etc/apt/apt.conf.d/20auto-upgrades
1
2
3
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
  • Update-Package-Lists: 1 enables auto-update, 0 disables.
  • Unattended-Upgrade: 1 enables auto-upgrade, 0 disables.
  • AutocleanInterval: Enables auto clean packages for X days. The above configuration displays 7 days
    • For example, APT::Periodic::AutocleanInterval “7”; means that the system clears the download archive every seven days.

Testing The Configuration

You can perform a dry run to test the configuration. The dry run command runs a test update but no actual changes take place.

You can run the dry run test by using the command:

sudo unattended-upgrades --dry-run --debug

This page was originally published on


Your Feedback Is Important

Let us know if this guide was helpful to you.


Join the conversation.
Read other comments or post your own below. Comments must be respectful, constructive, and relevant to the topic of the guide. Do not post external links or advertisements. Before posting, consider if your comment would be better addressed by contacting our Support team or asking on our Community Site.