Set Up Automatic Security Update (Unattended Upgrades) on Ubuntu

This tutorial is going to show you how to set up automatic security update, aka unattended upgrades, on Ubuntu. If you are not living under a cave, then you probably know the massive Equifax data breach. 143 million Equifax customer’s information, including name, social security number, date of birth, driver’s license, 200k credit card numbers, was stolen between May – July 2017.

In march 2017, a critical vulnerability in Apache Structs was found and Apache foundation released a fix for it when they announced existence of the vulnerability. However, Equifax didn’t patch the vulnerability for two months, resulted in the massive data breach. Corporations running complex applications may need to do extensive testing before installing updates, but if you have a simple Linux server for personal use, you can turn on automatic security update to patch vulnerabilities ASAP.

Configure Automatic Security Update (Unattended Upgrades) on Ubuntu Server

First, install the unattended-upgrades package.

sudo apt update

sudo apt install unattended-upgrades

You need to install the update-notifier-common package in order to set up automatic reboot.

sudo apt install update-notifier-common

Then edit the 50unattended-upgrades file.

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

In this file, you can configure what packages should be automatically updated. By default, only security updates will be automatically installed, as indicated by the following lines. So there’s no need to change this section.

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

  • The first origin "${distro_id}:${distro_codename}" is necessary because security updates may pull in new dependencies from non-security sources. This origin doesn’t provide software updates.
  • The second origin is for regular security updates.
  • The third and fourth origins (ESMApps and ESM) are for extended security maintenance, i.e. for those who run an Ubuntu release that reached end-of-life. You can leave it as is.

Email Notification

Sometimes Ubuntu can fail to install security updates, so a manual update is required. If you like to receive email notifications after every security update, then find the following line and uncomment it. (Remove the double slashes at the beginning.)

Ubuntu 18.04

//Unattended-Upgrade::Mail "root";

Ubuntu 20.04

//Unattended-Upgrade::Mail "";

You can specify an email address to receive notifications like below.

Unattended-Upgrade::Mail "you@example.com";

If you prefer to receive email notifications only when there’s an error during security update, then uncomment the following line.

Ubuntu 18.04

//Unattended-Upgrade::MailOnlyOnError "true";

On Ubuntu 20.04, you need to find the following line

//Unattended-Upgrade::MailReport "on-change";

Uncomment it and change on-change to

Unattended-Upgrade::MailReport "only-on-error";

Auto Remove Unused Dependencies

You probably need to do sudo apt autoremove after every update, so find the following line:

//Unattended-Upgrade::Remove-Unused-Dependencies "false";

Uncomment this line and change false to true.

Unattended-Upgrade::Remove-Unused-Dependencies "true";

Automatic Reboot

When a security update for the Linux kernel is installed, you need to restart Ubuntu server in order to apply the kernel update. If the server is only used by you or a few people, then enabling automatic reboot can be convenient. Find the following line.

//Unattended-Upgrade::Automatic-Reboot "false";

Uncomment it and change false to true to enable automatic reboot

Unattended-Upgrade::Automatic-Reboot "true";

You can also specify what time reboot will be performed. By default reboot is done immediately after installing kernel update. I set it to reboot at 4 AM. Make sure you set a correct time zone for your server.

Unattended-Upgrade::Automatic-Reboot-Time "04:00";

Save and close the file.

If the server is being used by many users or requires high uptime (such as this blog), then you shouldn’t enable automatic reboot. Instead, you can use Canonical livepatch to patch Linux kernel without reboot.

Enable Automatic Security Update

Now that automatic security update is configured, we need to enable it by creating the 20auto-upgrades file.

sudo nano /etc/apt/apt.conf.d/20auto-upgrades

Copy and paste the following two lines into the file.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

ubuntu 18.04 automatic security updates

  • The first line makes apt do “apt-get update” automatically every day. If it’s set to 2, then every other day.  (0=disabled)
  • The second line makes apt to install security updates automatically. (1=enabled, 0=disabled)

Save and and close the file.

Setting Up SMTP Relay

In order to receive email notifications after every security update, your server needs to be able to send emails. If this is your email server, then the only thing left to do is install the bsd-mailx package.

sudo apt install bsd-mailx

If this isn’t an email server, then you need to set up SMTP relay. We can install Postfix SMTP server, then relay emails through Gmail or other email service providers.

Install Postfix on your Ubuntu server.

sudo apt install postfix

When you see the following message, press the Tab key and press Enter.

unattended-upgrades email notification

Then choose the second option: Internet Site.

run unattended-upgrades manually

Next, set the system mail name. You can use the full hostname of your server.

unattended-upgrade::allowed-origins

After Postfix is installed, open the configuration file.

sudo nano /etc/postfix/main.cf

Find the following line.

relayhost =

By default, its value is not set. We change it so emails will be relayed through Gmail server.

relayhost = smtp.gmail.com:587

If you have your own email server running on another box, then use the hostname of your mail server as the relayhost.

relayhost = mail.yourdomain.com:587

Next, add the following lines to the end of this file.

# outbound relay configurations
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
header_size_limit = 4096000

Please note that it’s not recommended to put your Gmail credentials directly into /etc/postfix/main.cf file because every user on the server can use postconf -n command to dump Postfix configurations to the screen.

By default, Postfix are configured to accept incoming mail. You can configure Postfix to only send email, but accept no incoming email. Find the following line in /etc/postfix/main.cf file.

inet_interfaces = all

Change it to the following text so Postfix will only listen on localhost.

inet_interfaces = loopback-only

Save and close the file. Then create the /etc/postfix/sasl_passwd file.

sudo nano /etc/postfix/sasl_passwd

Enter the following lines to the file.

smtp.gmail.com:587  you@gmail.com:YourGmailPassword

Note

  • There’s a colon between the username and password.
  • if you enabled two-step verification for your Gmail account, you will need to use an App password instead of the normal password.)

If you use your own email server as relay, add the following line instead.

mail.yourdomain.com:587   username@yourdomain.com:password

Save and close the file. Then create the corresponding hash db file with postmap.

sudo postmap /etc/postfix/sasl_passwd

Now you should have a file /etc/postfix/sasl_passwd.db. Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

By default, sasl_passwd and sasl_passwd.db file can be read by any user on the server.  Change the permission to 600 so only root can read and write to these two files.

sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

Email notifications are sent with mailx command, which is provided by the bsd-mailx package.

sudo apt install bsd-mailx

Now you can run the following command to test the SMTP configurations.

echo "this is a test email." | mailx -r from-address -s hello to-address

If SMTP configurations are correct, you will receive an email from your Gmail account.

Email not Sending?

If you wrap the relay host with brackets in /etc/postfix/main.cf file.

relayhost = [smtp.gmail.com]:587

Then you also need to wrap the hostname in /etc/postfix/sasl_passwd file.

[smtp.gmail.com]:587  you@gmail.com:YourGmailPassword

Remember to re-generate the hash db file.

sudo postmap /etc/postfix/sasl_passwd

Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

Email Report

There are 3 possible emails sent by unattended upgrade:

  • Unattended upgrade returned: True.  This means packages are installed successfully.
  • Unattended upgrade returned: False. This means some error happened when installing updates. Usually requires human intervention. If you receive this email, you need to manually run sudo apt upgrade.
  • Unattended upgrade returned: None. There are updates available, but the system refused to install them.

Logs

Logs can be found in /var/log/unattended-upgrades/ directory.

Check Restart

The checkrestart command can help you find out which processes need to be restarted after an upgrade. It is available from debian-goodies package.

sudo apt install debian-goodies

sudo checkrestart

Wrapping Up

I hope this tutorial helped you set up unattended upgrades on Ubuntu server. As always, if you found this post useful,  subscribe to our free newsletter to get more tips and tricks 🙂

Rate this tutorial
[Total: 5 Average: 4.4]

2 Responses to “Set Up Automatic Security Update (Unattended Upgrades) on Ubuntu

  • Johan Lesky
    3 months ago

    Question …

    * Will it be acceptable / preferable to install this “Automatic Security Update” on
    a Server that have “Nextcloud” installed !?

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.


The maximum upload file size: 2 MB.
You can upload: image.