This tutorial is going to show you how to set up automatic security update, aka unattended upgrades, on Ubuntu 18.04. If you are not living under a cave, then you should have known the massive Equifax data breach. 143 million Equifax customer’s information, including name, social security number, date of birth, driver’s license, 200k credit card numbers, was stolen between May – July 2017.
In march 2017, a critical vulnerability in Apache Structs was found and Apache foundation released a fix for it when they announced existence of the vulnerability. However, Equifax didn’t patch the vulnerability for two months, resulted in the massive data breach. Corporations using complex applications may need to do extensive test before installing updates, but if you have a simple Linux server for personal use, you can turn on automatic security update to patch vulnerabilities ASAP.
Configure Automatic Security Update (Unattended Upgrades) on Ubuntu 18.04 Server
The package unattended-upgrades
is automatically installed when you install Ubuntu 18.04 server. Anyway, you can install it with the following command.
sudo apt update sudo apt install unattended-upgrades
On Ubuntu 16.04, you need to install the update-notifier-common
package in order to set up automatic reboot.
sudo apt install update-notifier-common
Then edit the 50unattended-upgrades
file.
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
In this file, you can configure what packages should be automatically updated. By default, only security update will be automatically installed, as indicated by the following lines. So there’s no need to change this section.
Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-security"; // Extended Security Maintenance; doesn't necessarily exist for // every release and this system may not have it installed, but if // available, the policy for updates is such that unattended-upgrades // should also install from here by default. "${distro_id}ESM:${distro_codename}"; // "${distro_id}:${distro_codename}-updates"; // "${distro_id}:${distro_codename}-proposed"; // "${distro_id}:${distro_codename}-backports"; };
- The first origin
"${distro_id}:${distro_codename}"
is necessary because security updates may pull in new dependencies from non-security sources. This origin doesn’t provide software updates. - The third origin
"${distro_id}ESM:${distro_codename}"
is for extended security maintenance, i.e. for those who run an Ubuntu release that reached end of life. You can leave it as is.
Email Notification
If you like to receive email notifications after every security update, then find the following line and uncomment it.
//Unattended-Upgrade::Mail "root";
Then specify your email address like below.
Unattended-Upgrade::Mail "[email protected]";
If you prefer to receive email notifications only on errors, uncomment the following line.
//Unattended-Upgrade::MailOnlyOnError "true";
Auto Remove Unused Dependencies
You probably need to do sudo apt autoremove
after every update, so uncomment the following line and change false
to true
.
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
Change it to this:
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Automatic Reboot
When a security update for the Linux kernel is installed, you need to restart Ubuntu 18.04 server. If the server is only used by you or a few people, then enabling automatic reboot can be convenient. Find the following line.
//Unattended-Upgrade::Automatic-Reboot "false";
Uncomment it and change false
to true
to enable automatic reboot
Unattended-Upgrade::Automatic-Reboot "true";
You can also specify what time reboot will be performed. By default reboot is done immediately after installing kernel update. I set it to reboot in 4 AM. Make sure you set a correct time zone for your server.
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
If the server is being used by many users or requires high uptime (such as this blog), then you shouldn’t enable automatic reboot. Instead, you can use canonical livepatch to patch kernel without rebooting.
Enable Automatic Security Update
Now that automatic security update is configured, we need to enable it by creating the 20auto-upgrades
file.
sudo nano /etc/apt/apt.conf.d/20auto-upgrades
Copy and paste the following two lines into the file.
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";
- The first line makes
apt
do “apt-get update
” automatically every day. If it’s set to 2, then every other day. (0=disabled) - The second line makes
apt
to install security updates automatically. (1=enabled, 0=disabled)
Save and and close the file.
Setting Up SMTP Relay
In order to receive email notifications after every security update, your server needs to be able to send emails. If this is your email server, then the only thing left to do is install the bsd-mailx
package.
sudo apt install bsd-mailx
If this isn’t an email server, then you need to set up SMTP relay. We can install Postfix SMTP server, then relay emails through Gmail or other email service providers.
Install Postfix on your Ubuntu 18.04 server.
sudo apt install postfix
When you see the following message, press the Tab key and press Enter.
Then choose the second option: Internet Site
.
Next, set the system mail name. You can use the full hostname of your server.
After Postfix is installed, open the configuration file.
sudo nano /etc/postfix/main.cf
Find the following line.
relayhost =
By default, its value is not set. We change it so emails will be relayed through Gmail server.
relayhost = smtp.gmail.com:587
Then add the following lines to the end of this file.
# outbound relay configurations smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_security_level = may header_size_limit = 4096000
Please note that it’s not recommended to put your Gmail credentials directly into /etc/postfix/main.cf
file because every user on the server can use postconf -n
command to dump Postfix configurations to the screen.
By default, Postfix are configured to accept incoming mail. You can configure Postfix to only send email, but accept no incoming email. Find the following line in /etc/postfix/main.cf
file.
inet_interfaces = all
Change it to the following text so Postfix will only listen on localhost.
inet_interfaces = loopback-only
Save and close the file. Then create the /etc/postfix/sasl_passwd
file.
sudo nano /etc/postfix/sasl_passwd
Enter the following lines to the file. (Note that if you enabled two-step verification for your Gmail account, you will need to use an App password instead of the normal password.)
smtp.gmail.com:587 [email protected] YourGmailPassword
Save and close the file. Then create the corresponding hash db file with postmap
.
sudo postmap /etc/postfix/sasl_passwd
Now you should have a file /etc/postfix/sasl_passwd.db
. Restart Postfix for the changes to take effect.
sudo systemctl restart postfix
By default, sasl_passwd
and sasl_passwd.db
file can be read by any user on the server. Change the permission to 600 so only root can read and write to these two files.
sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
Email notifications are sent with mailx
command, which is provided by the bsd-mailx
package.
sudo apt install bsd-mailx
Now you can run the following command to test the SMTP configurations.
echo "this is a test email." | mailx -r from-address -s hello to-address
If SMTP configurations are correct, you will receive an email from your Gmail account.
Email Report
There are 3 possible emails sent by unattended upgrade:
- Unattended upgrade returned: True. This means packages are installed successfully.
- Unattended upgrade returned: False. This means some error happened when installing updates. Usually requires human intervention. If you receive this email, you need to manually run
sudo apt upgrade
. - Unattended upgrade returned: None. There are updates available, but the system refused to install them.
Logs
Logs can be found in /var/log/unattended-upgrades/
directory.
Check Restart
The checkrestart
command can help you find out which processes need to be restarted after an upgrade. It is available from debian-goodies
package.
sudo apt install debian-goodies sudo checkrestart
That’s it! I hope this tutorial helped you set up unattended upgrades on Ubuntu 18.04 server.
Rate this tutorial
[Total: 5 Average: 4.4]