Set Up Automatic Security Update (Unattended Upgrades) on Ubuntu

This tutorial is going to show you how to set up automatic security update, aka unattended upgrades, on Ubuntu. If you are not living under a cave, then you probably know the massive Equifax data breach. 143 million Equifax customer’s information, including name, social security number, date of birth, driver’s license, 200k credit card numbers, was stolen between May – July 2017.

In march 2017, a critical vulnerability in Apache Structs was found and Apache foundation released a fix for it when they announced existence of the vulnerability. However, Equifax didn’t patch the vulnerability for two months, resulted in the massive data breach. Corporations running complex applications may need to do extensive testing before installing updates, but if you have a simple Linux server for personal use, you can turn on automatic security update to patch vulnerabilities ASAP.

Configure Automatic Security Update (Unattended Upgrades) on Ubuntu Server

First, install the unattended-upgrades package.

sudo apt update

sudo apt install unattended-upgrades

You need to install the update-notifier-common package in order to set up automatic reboot.

sudo apt install update-notifier-common

Then edit the 50unattended-upgrades file.

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

In this file, you can configure what packages should be automatically updated. By default, only security updates will be automatically installed, as indicated by the following lines. So there’s no need to change this section.

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

  • The first origin "${distro_id}:${distro_codename}" is necessary because security updates may pull in new dependencies from non-security sources. This origin doesn’t provide software updates.
  • The second origin is for regular security updates.
  • The third and fourth origins (ESMApps and ESM) are for extended security maintenance, i.e. for those who run an Ubuntu release that reached end-of-life. You can leave it as is.

Email Notification

Sometimes Ubuntu can fail to install security updates, so a manual update is required. If you like to receive email notifications after every security update, then find the following line and uncomment it. (Remove the double slashes at the beginning.)

Ubuntu 18.04

//Unattended-Upgrade::Mail "root";

Ubuntu 20.04

//Unattended-Upgrade::Mail "";

You can specify an email address to receive notifications like below.

Unattended-Upgrade::Mail "[email protected]";

If you prefer to receive email notifications only when there’s an error during security update, then uncomment the following line.

Ubuntu 18.04

//Unattended-Upgrade::MailOnlyOnError "true";

On Ubuntu 20.04, you need to find the following line

//Unattended-Upgrade::MailReport "on-change";

Uncomment it and change on-change to

Unattended-Upgrade::MailReport "only-on-error";

Auto Remove Unused Dependencies

You probably need to do sudo apt autoremove after every update, so find the following line:

//Unattended-Upgrade::Remove-Unused-Dependencies "false";

Uncomment this line and change false to true.

Unattended-Upgrade::Remove-Unused-Dependencies "true";

Automatic Reboot

When a security update for the Linux kernel is installed, you need to restart Ubuntu server in order to apply the kernel update. If the server is only used by you or a few people, then enabling automatic reboot can be convenient. Find the following line.

//Unattended-Upgrade::Automatic-Reboot "false";

Uncomment it and change false to true to enable automatic reboot

Unattended-Upgrade::Automatic-Reboot "true";

You can also specify what time reboot will be performed. By default reboot is done immediately after installing kernel update. I set it to reboot at 4 AM. Make sure you set a correct time zone for your server.

Unattended-Upgrade::Automatic-Reboot-Time "04:00";

Save and close the file.

If the server is being used by many users or requires high uptime (such as this blog), then you shouldn’t enable automatic reboot. Instead, you can use Canonical livepatch to patch Linux kernel without reboot.

Enable Automatic Security Update

Now that automatic security update is configured, we need to enable it by creating the 20auto-upgrades file.

sudo nano /etc/apt/apt.conf.d/20auto-upgrades

Copy and paste the following two lines into the file.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

ubuntu 18.04 automatic security updates

  • The first line makes apt do “apt-get update” automatically every day. If it’s set to 2, then every other day.  (0=disabled)
  • The second line makes apt to install security updates automatically. (1=enabled, 0=disabled)

Save and and close the file.

Run Unattended Upgrade at a Specific Time

Unattended upgrade is run randomly between 12 AM to 7AM, so as to prevent load spike to mirror servers due to everyone running updates at the same time. You can manually run unattended upgrade with:

sudo unattended-upgrade -v

You can also add this command to your Cron job.

sudo crontab -e

Add the following line at the bottom of your Crontab file, so the unattended upgrade will run every day at 2 AM.

0 2 * * * sudo /usr/bin/unattended-upgrade -v

Setting Up SMTP Relay

In order to receive email notifications after every security update, your server needs to be able to send emails. If this is your email server, then the only thing left to do is install the bsd-mailx package.

sudo apt install bsd-mailx

If this isn’t an email server, then you need to set up SMTP relay. We can install Postfix SMTP server, then relay emails through email service providers.

There are several email service providers (ESP) that can act as relay host. Some charge a little fee, some offer free quotas every month. In this article, I’d like to show you how to use Sendinblue, which is an email service provider that allows you to send 300 emails per day for free.

Create a free account at sendinblue.com. Once you complete your user profile, click the Transactional tab, you will get your SMTP settings. If there’s no SMTP settings, you need to contact Sendinblue customer service in order to activate the transactional email service.

sendinblue SMTP relay settings

Now you need to configure your Postfix SMTP server to use the Sendinblue SMTP settings.

Let’s install Postfix SMTP server on Ubuntu with the following command.

sudo apt install postfix libsasl2-modules

When you see the following message, press the Tab key and press Enter.

postfix relayhost authentication

Then choose the second option: Internet Site.

postfix relayhost configuration

Next, set the system mail name. For example, I enter my domain name linuxbabe.com.

postfix smarthost ubuntu

After Postfix is installed, open the main configuration file with a command-line text editor like Nano.

sudo nano /etc/postfix/main.cf

Find the following line.

relayhost =

By default, its value is empty. Set the value of relayhost to [smtp-relay.sendinblue.com]:587.

relayhost = [smtp-relay.sendinblue.com]:587

Then add the following lines to the end of this file.

# outbound relay configurations
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
header_size_limit = 4096000

Save and close the file. Then create the /etc/postfix/sasl_passwd file.

sudo nano /etc/postfix/sasl_passwd

Add the SMTP relay host and SMTP credentials to this file like below. Replace smtp_username and smtp_password with your own username and password that are given by SendinBlue. Note there’s a colon between the username and password.

[smtp-relay.sendinblue.com]:587      smtp_username:smtp_passowrd

Save and close the file. Then create the corresponding hash db file with postmap.

sudo postmap /etc/postfix/sasl_passwd

Now you should have a file /etc/postfix/sasl_passwd.db. Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

By default, sasl_passwd and sasl_passwd.db file can be read by any user on the server. Change the permission to 600 so only root can read and write to these two files.

sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

From now on, Postfix will send emails via Sendinblue.

Add Sender Addresses

Click the drop-down menu on the upper-right corner of your Sendinblue account dashboard and select the Senders & IPs tab to add your domain and sender address.

sendinblue add senders and domains

Sending Test Email

Now we can send a test email with mailx command like below.

sudo apt install bsd-mailx

echo "this is a test email." | mailx -r from-address -s hello to-address

If SMTP configurations are correct, you will receive an email.

Email not Sending?

You can check the mail log (/var/log/mail.log) to debug why email is not sending.

If you wrap the relay host with brackets in /etc/postfix/main.cf file.

relayhost = [smtp-relay.sendinblue.com]:587

Then you also need to wrap the hostname in /etc/postfix/sasl_passwd file.

[smtp-relay.sendinblue.com]:587  [email protected]:YourGmailPassword

Remember to re-generate the hash db file.

sudo postmap /etc/postfix/sasl_passwd

Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

Disable Receiving Email

By default, Postfix is configured to accept incoming mail. You can configure Postfix to only send email, but accept no incoming email. Find the following line in /etc/postfix/main.cf file.

inet_interfaces = all

Change it to the following text so Postfix will only listen on localhost.

inet_interfaces = loopback-only

Email Report

There are 3 possible emails sent by unattended upgrade:

  • Unattended upgrade returned: True.  This means packages are installed successfully.
  • Unattended upgrade returned: False. This means some error happened when installing updates. Usually requires human intervention. If you receive this email, you need to manually run sudo apt upgrade.
  • Unattended upgrade returned: None. There are updates available, but the system refused to install them.

Logs

Logs can be found in /var/log/unattended-upgrades/ directory.

Check Restart

The checkrestart command can help you find out which processes need to be restarted after an upgrade. It is available from debian-goodies package.

sudo apt install debian-goodies

sudo checkrestart

Wrapping Up

I hope this tutorial helped you set up unattended upgrades on Ubuntu server. As always, if you found this post useful,  subscribe to our free newsletter to get more tips and tricks 🙂

Rate this tutorial
[Total: 6 Average: 4.5]

14 Responses to “Set Up Automatic Security Update (Unattended Upgrades) on Ubuntu

  • Johan Lesky
    1 year ago

    Question …

    * Will it be acceptable / preferable to install this “Automatic Security Update” on
    a Server that have “Nextcloud” installed !?

  • This was so helpful!! Thank you for making such an excellent tutorial

  • Robi Erwin Setiawan
    9 months ago

    Should we use Canonical Livepatch Service too or just only this one is enough?

    • Canonical livepatch is used to patch the Linux kernel without reboot.

      If you don’t care about uptime, you don’t need Canonical livepatch.
      If you care about uptime, you should use Canonical livepatch to avoid rebooting your servers.

  • Again Xiao, really helpful tutorial; just 2 or 3 suggestions re this:

    if you edit the /etc/apt/apt.conf.d/50unattended-upgrades file, make sure at the end of the file you add
    };
    added; otherwise you’ll have syntax error and unattended upgrades may not work;

    you can test that it works with the command

    sudo unattended-upgrades –dry-run –debug

    if there are any errors in setup you can correct those!

    some other tutorials recommend to run the following after installing unattended-upgrades:

    sudo dpkg-reconfigure -plow unattended-upgrades

    I think this automatically creates and configures the /etc/apt/apt.conf.d/20auto-upgrades file
    so you don’t have to add the 2 lines [APT::Periodic::Update-Package-Lists “1”; and
    APT::Periodic::Unattended-Upgrade “1”;]

  • Thanks!

  • This is a great tutorial, thank you very much. Really good guide to getting postfix working too.

  • Hello Xiao,

    I do have – Unattended-Upgrade::Automatic-Reboot-Time “04:00”; – but “Unattended Upgrades” is running around 06:00. How do I fix this in order to have “Unattended Upgrades” running before 04:00 ???


    Kindest Regards,
    Ale

    • You can manually run unattended upgrade with:

      sudo unattended-upgrade -v

      You can add this command to your Cron job.

      sudo crontab -e

      Add the following line at the bottom of your Crontab file, so the unattended upgrade will run every day at 2 AM.

      0 2 * * * sudo /usr/bin/unattended-upgrade -v
      • Hello Xiao, and thank You so much.
        – However now I have “unattended-upgrade” running at 2AM and at 6AM as well and I have
        – It does not make sense have “Unattended-Upgrade” running at 6AM. I guess “Unattended-Upgrade” have an internal default and I can’t figure out how to change it.

        Kindest Regards,
        Ale

    • sudo nano /etc/apt/apt.conf.d/20auto-upgrades

      Change the values to 0, to disable auto-upgrade, because auto-upgrade will be taken care of by Cron job.

      APT::Periodic::Update-Package-Lists "0";
      APT::Periodic::Unattended-Upgrade "0";
      
      • Hello Xiao
        Thank You so much.
        May I suggest:

        0 2 * * * sudo /usr/bin/unattended-upgrade -v > /dev/null 2>&1

        otherwise You will receive 2 emails – 1 from cron and 1 from unattended.


        Kindest Regards,
        Ale

  • Hello, many thanks for the tutorial. I was following one that said “install mailutils or bsd-mailx” and I was wondering why I couldn’t set an smtp relay. You explained why and and how. I thought it worth commenting in case anyone else is in a similar position. One thing I found was that ‘libsasl2-modules’ also requires installing to allow SMTP authentication. Otherwise you get a “SASL authentication failure: No worthy mechs found” error. Thanks again.

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here