Congrats, your new server is all setup, you likely got your account setup to execute using the sudo command and now first things first, let’s apply all outstanding updates (including security patches) for our OS before doing anything else!
Make sure you are logged in as your user and not something like root, and execute the following command (for Debian/Ubuntu):
sudo apt-get updateApt is the software package manager for Debian and Debian-based system; it is in charge of maintaining all the software installed on your system including managing updates when it detects them from the main repositories (repo).
The command above connects to the official (configured) software repo’s, pulls down a list of all the latest package versions compatible with your install of Debian but DOES NOT apply them, that’s the job of another command.
Now that our local copy of the software repo is up to date, let’s ask Apt to figure out which packages can be updated with:
sudo apt-get upgradeIf there are pending updates to apply, you’ll be prompted with a Y/N question if you want to apply them or not – it’s usually a good idea to.
Enable automatic updates
In a server environment, it can be a good idea to just automatically check for and apply updates (like security updates) as they come out and not require you to login and check.
In the Ubuntu world, automatic updates are referred to as “unattended upgrades“, so you can imagine what the package is called that we need to install 🙂
On my install of Ubuntu 20.04, unattended-upgrades was already installed and it might be on your install so let’s check before we try and install it:
$ apt -qq list unattended-upgrades
unattended-upgrades/focal-updates,now 2.3ubuntu0.1 all [installed]If the package is already installed, let’s move on to configuration – if you need to install it, it’s a one-liner and very easy to do:
sudo apt-get install unattended-upgradesNow that you have it installed, let’s move on to making sure it’s setup.
Configuring automatic updates
unattended-upgrades is run as a system service on a schedule; to initiate the (re)configuration of the service to ensure it’s running the way we want it to be, run the following command:
sudo dpkg-reconfigure -plow unattended-upgradesNote: If you are wondering what the -plow command does, it’s actually “-p” and “low” – it tells dpkg-reconfigure to prompt you even for low priority questions; this is the default behavior, but we can force it to make sure it prompts us.
You’ll be presented with some old-school, console ASCII menu graphics like so:
Select Yes and the configuration will be written out.
I strongly recommend modifying the default configuration to ONLY allow security updates automatically; I have broken (non-LTS) servers in the past with automatic updates being applied and it left a bad taste in my mouth.
Let’s open up the config to make a quick change:
sudo nano /etc/apt/apt.conf.d/50unattended-upgradesYou’ll want to look for the Unattended-Upgrade::Allowed-Origins section, which is normally the first section. It’ll look something like this:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
On my Ubuntu 20.04 LTS install, the default settings are already set for SECURITY-ONLY, which is great, there is no work here for us to do.
If your install looks differently, use // to comment out the lines associated with updates, proposed and backports.
Once you are done with changes, save the file and exit.
If you’d like unattended-upgrades to email you the results of package runs, you’ll need to setup an output email service. There is some more information here to get you started if that is something you want to do.