How to keep Debian Linux patched with latest security updates automatically

Posted on in Categories , , , last updated August 30, 2017

How do I keep my server/cloud computer powered by Debian Linux 9.x or 8.x current with the latest security updates automatically? Is there is a tool to update security patched automatically?

Yes, you can download and install all security updates/upgraded automatically in the background. It is done in an unattended way and installs security updates for you.
Unattended Upgrades

Why do I need an unattended way and installs security updates

Applying updates on a frequent basis is an important part of keeping systems secure. By default, updates need to be applied manually using package management tools. However, you can choose to have Debian automatically download and install important security updates. This guide shows you how to automatically download and install stable updates and security patches for Debian Linux server.

Installation

Type the following apt command or apt-get command to install unattended-upgrades package. You must install traditional simple command-line-mode mail user agent using bsd-mailx to get email notification. The tool apt-listchanges can compare a new version of a package with the one currently installed and show what has been changed, by extracting the relevant entries from the Debian changelog and NEWS files. The apt-listchanges will email you changes too. Let us install all of them:
$ sudo apt install unattended-upgrades apt-listchanges bsd-mailx
OR
$ sudo apt-get install unattended-upgrades apt-listchanges bsd-mailx
Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  unattended-upgrades*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 252 kB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 28679 files and directories currently installed.)
Removing unattended-upgrades (0.93.1+nmu1) ...
Processing triggers for man-db (2.7.6.1-2) ...
(Reading database ... 28649 files and directories currently installed.)
Purging configuration files for unattended-upgrades (0.93.1+nmu1) ...
dpkg: warning: while removing unattended-upgrades, directory '/var/log/unattended-upgrades' not empty so not removed
Processing triggers for systemd (232-25) ...
[email protected]:~# apt-get clean
[email protected]:~# apt-get autoclean
Reading package lists... Done
Building dependency tree       
Reading state information... Done
[email protected]:~# 
[email protected]:~# apt-get install unattended-upgrades apt-listchanges bsd-mailx
Reading package lists... Done
Building dependency tree       
Reading state information... Done
apt-listchanges is already the newest version (3.10).
The following additional packages will be installed:
  exim4-base exim4-config exim4-daemon-light liblockfile1 psmisc
Suggested packages:
  eximon4 exim4-doc-html | exim4-doc-info spf-tools-perl swaks needrestart
The following NEW packages will be installed:
  bsd-mailx exim4-base exim4-config exim4-daemon-light liblockfile1 psmisc unattended-upgrades
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,298 kB of archives.
After this operation, 4,858 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://mirrors.linode.com/debian stretch/main amd64 liblockfile1 amd64 1.14-1+b1 [15.7 kB]
Get:2 http://security.debian.org/debian-security stretch/updates/main amd64 exim4-config all 4.89-2+deb9u1 [377 kB]
Get:3 http://mirrors.linode.com/debian stretch/main amd64 bsd-mailx amd64 8.1.2-0.20160123cvs-4 [87.0 kB]
Get:4 http://mirrors.linode.com/debian stretch/main amd64 psmisc amd64 22.21-2.1+b2 [123 kB]
Get:5 http://mirrors.linode.com/debian stretch/main amd64 unattended-upgrades all 0.93.1+nmu1 [61.7 kB]
Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 exim4-base amd64 4.89-2+deb9u1 [1,093 kB]
Get:7 http://security.debian.org/debian-security stretch/updates/main amd64 exim4-daemon-light amd64 4.89-2+deb9u1 [541 kB]
Fetched 2,298 kB in 0s (19.5 MB/s)      
Preconfiguring packages ...
Selecting previously unselected package liblockfile1:amd64.
(Reading database ... 28642 files and directories currently installed.)
Preparing to unpack .../0-liblockfile1_1.14-1+b1_amd64.deb ...
Unpacking liblockfile1:amd64 (1.14-1+b1) ...
Selecting previously unselected package exim4-config.
Preparing to unpack .../1-exim4-config_4.89-2+deb9u1_all.deb ...
Unpacking exim4-config (4.89-2+deb9u1) ...
Selecting previously unselected package exim4-base.
Preparing to unpack .../2-exim4-base_4.89-2+deb9u1_amd64.deb ...
Unpacking exim4-base (4.89-2+deb9u1) ...
Selecting previously unselected package exim4-daemon-light.
Preparing to unpack .../3-exim4-daemon-light_4.89-2+deb9u1_amd64.deb ...
Unpacking exim4-daemon-light (4.89-2+deb9u1) ...
Selecting previously unselected package bsd-mailx.
Preparing to unpack .../4-bsd-mailx_8.1.2-0.20160123cvs-4_amd64.deb ...
Unpacking bsd-mailx (8.1.2-0.20160123cvs-4) ...
Selecting previously unselected package psmisc.
Preparing to unpack .../5-psmisc_22.21-2.1+b2_amd64.deb ...
Unpacking psmisc (22.21-2.1+b2) ...
Selecting previously unselected package unattended-upgrades.
Preparing to unpack .../6-unattended-upgrades_0.93.1+nmu1_all.deb ...
Unpacking unattended-upgrades (0.93.1+nmu1) ...
Setting up psmisc (22.21-2.1+b2) ...
Setting up exim4-config (4.89-2+deb9u1) ...
Adding system-user for exim (v4)
Setting up liblockfile1:amd64 (1.14-1+b1) ...
Setting up exim4-base (4.89-2+deb9u1) ...
exim: DB upgrade, deleting hints-db
Processing triggers for libc-bin (2.24-11+deb9u1) ...
Processing triggers for systemd (232-25) ...
Setting up unattended-upgrades (0.93.1+nmu1) ...
 
Creating config file /etc/apt/apt.conf.d/20auto-upgrades with new version
 
Creating config file /etc/apt/apt.conf.d/50unattended-upgrades with new version
Created symlink /etc/systemd/system/multi-user.target.wants/unattended-upgrades.service ? /lib/systemd/system/unattended-upgrades.service.
Synchronizing state of unattended-upgrades.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable unattended-upgrades
Processing triggers for man-db (2.7.6.1-2) ...
Setting up exim4-daemon-light (4.89-2+deb9u1) ...
Initializing GnuTLS DH parameter file
Setting up bsd-mailx (8.1.2-0.20160123cvs-4) ...
update-alternatives: using /usr/bin/bsd-mailx to provide /usr/bin/mailx (mailx) in auto mode
Processing triggers for systemd (232-25) ...

Configuration file

You need to edit the file named /etc/apt/apt.conf.d/50unattended-upgrades
$ sudo vi /etc/apt/apt.conf.d/50unattended-upgrades
OR
$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
The following controls which packages are upgraded in config file:

Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
        //      "o=Debian,n=jessie";
        //      "o=Debian,n=jessie-updates";
        //      "o=Debian,n=jessie-proposed-updates";
        //      "o=Debian,n=jessie,l=Debian-Security";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
};

You can skip packages from updates too (for example nginx or linux kernel image):

Unattended-Upgrade::Package-Blacklist {
	"nginx";
        "linux-image*";
};

You need to configure an email address to get email when there is a problem or package upgrades. Of course you must have working email setup to this work:
Unattended-Upgrade::Mail "[email protected]";
Or at least send it to root user on the same system:
Unattended-Upgrade::Mail "root";
Save and close the file. To activate unattended-upgrades, you need to make that the apt configuration has the following two lines. Use the cat command to view info:
$ cat /etc/apt/apt.conf.d/20auto-upgrades
Sample outputs:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

It is possible to update or create this file using the following command:
$ sudo dpkg-reconfigure -plow unattended-upgrades
Sample outputs:

Fig.01 Activate unattended-upgrades using command line
Fig.01 Activate unattended-upgrades using command line

And
Fig.02 Activate unattended-upgrades using command line
Fig.02 Activate unattended-upgrades using command line

Finally edit the file named /etc/apt/listchanges.conf using a text editor such as vim command/nano command:
$ sudo vi /etc/apt/listchanges.conf
Set email address from:
email_address=root
To:
[email protected]
Save and close the file. For more info see Unattended Upgrades.
This entry is 2 of 2 in the Applying Debian Security Updates/Patches series. Keep reading the rest of the series:
  1. How to apply Debian security patches
  2. How to keep Debian Linux patched with latest security updates automatically

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

8 comment

  1. I suppose I could use this to run security updates irrespective of the weekly (every Friday) updates I run (after I disable security updates checking) anyway; I don’t wanna have the package lists auto-updated for nothing when I’ll update them manually anyway before I run updates or install something.

  2. However, knowing we’re running Linux, and Linux allows to change the file you’re running, wouldn’t even security updates be for nothing without rebooting/reloading the file in question since AFAIK no process is auto-rebooted upon successful update ? That’s how I see it.

      1. > Most services restarted when you install updates.

        Some services restarted. But when libraries’ve updated, many services left. You may use `needrestart` to check that.

  3. From the article: “Of course you must have working email setup to this work”

    How can I setup e-mail working in my debian 9 system? What should I do besides installing “bsd-mailx”?

  4. Hello,

    When I run that command:
    $ sudo dpkg-reconfigure -plow unattended-upgrades

    And answer “Yes” on “Automatically download and install stable updates?”

    I see the following error:
    $ update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults

Comments are closed.