Setting up Automatic Security Update (Unattended Upgrades) on Ubuntu 18.04

This tutorial is going to show you how to set up automatic security update, aka unattended upgrades, on Ubuntu 18.04. If you are not living under a cave, then you should have known the massive Equifax data breach. 143 million Equifax customer’s information, including name, social security number, date of birth, driver’s license, 200k credit card numbers, was stolen between May – July 2017.

In march 2017, a critical vulnerability in Apache Structs was found and Apache foundation released a fix for it when they announced existence of the vulnerability. However, Equifax didn’t patch the vulnerability for two months, resulted in the massive data breach. Corporations using complex applications may need to do extensive test before installing updates, but if you have a simple Linux server for personal use, you can turn on automatic security update to patch vulnerabilities ASAP.

Configure Automatic Security Update (Unattended Upgrades) on Ubuntu 18.04 Server

The package unattended-upgrades is automatically installed when you install Ubuntu 18.04 server. Anyway, you can install it with the following command.

sudo apt update

sudo apt install unattended-upgrades

On Ubuntu 16.04, you need to install the update-notifier-common package in order to set up automatic reboot.

sudo apt install update-notifier-common

Then edit the 50unattended-upgrades file.

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

In this file, you can configure what packages should be automatically updated. By default, only security update will be automatically installed, as indicated by the following lines. So there’s no need to change this section.

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESM:${distro_codename}";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

unattended upgrades ubuntu 18.04

  • The first origin "${distro_id}:${distro_codename}" is necessary because security updates may pull in new dependencies from non-security sources. This origin doesn’t provide software updates.
  • The third origin "${distro_id}ESM:${distro_codename}" is for extended security maintenance, i.e. for those who run an Ubuntu release that reached end of life. You can leave it as is.

Email Notification

If you like to receive email notifications after every security update, then find the following line and uncomment it.

//Unattended-Upgrade::Mail "root";

Then specify your email address like below.

Unattended-Upgrade::Mail "[email protected]";

If you prefer to receive email notifications only on errors, uncomment the following line.

//Unattended-Upgrade::MailOnlyOnError "true";

Auto Remove Unused Dependencies

You probably need to do sudo apt autoremove after every update, so uncomment the following line and change false to true.

//Unattended-Upgrade::Remove-Unused-Dependencies "false";

Change it to this:

Unattended-Upgrade::Remove-Unused-Dependencies "true";

Automatic Reboot

When a security update for the Linux kernel is installed, you need to restart Ubuntu 18.04 server. If the server is only used by you or a few people, then enabling automatic reboot can be convenient. Find the following line.

//Unattended-Upgrade::Automatic-Reboot "false";

Uncomment it and change false to true to enable automatic reboot

Unattended-Upgrade::Automatic-Reboot "true";

You can also specify what time reboot will be performed. By default reboot is done immediately after installing kernel update. I set it to reboot in 4 AM. Make sure you set a correct time zone for your server.

Unattended-Upgrade::Automatic-Reboot-Time "04:00";

If the server is being used by many users or requires high uptime (such as this blog), then you shouldn’t enable automatic reboot. Instead, you can use canonical livepatch to patch kernel without rebooting.

Enable Automatic Security Update

Now that automatic security update is configured, we need to enable it by creating the 20auto-upgrades file.

sudo nano /etc/apt/apt.conf.d/20auto-upgrades

Copy and paste the following two lines into the file.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

ubuntu 18.04 automatic security updates

  • The first line makes apt do “apt-get update” automatically every day. If it’s set to 2, then every other day.  (0=disabled)
  • The second line makes apt to install security updates automatically. (1=enabled, 0=disabled)

Save and and close the file.

Setting Up SMTP Relay

In order to receive email notifications after every security update, your server needs to be able to send emails. If this is your email server, then the only thing left to do is install the bsd-mailx package.

sudo apt install bsd-mailx

If this isn’t an email server, then you need to set up SMTP relay. We can install Postfix SMTP server, then relay emails through Gmail or other email service providers.

Install Postfix on your Ubuntu 18.04 server.

sudo apt install postfix

When you see the following message, press the Tab key and press Enter.

unattended-upgrades email notification

Then choose the second option: Internet Site.

run unattended-upgrades manually

Next, set the system mail name. You can use the full hostname of your server.

unattended-upgrade::allowed-origins

After Postfix is installed, open the configuration file.

sudo nano /etc/postfix/main.cf

Find the following line.

relayhost =

By default, its value is not set. We change it so emails will be relayed through Gmail server.

relayhost = smtp.gmail.com:587

Then add the following lines to the end of this file.

# outbound relay configurations
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
header_size_limit = 4096000

Please note that it’s not recommended to put your Gmail credentials directly into /etc/postfix/main.cf file because every user on the server can use postconf -n command to dump Postfix configurations to the screen.

By default, Postfix are configured to accept incoming mail. You can configure Postfix to only send email, but accept no incoming email. Find the following line in /etc/postfix/main.cf file.

inet_interfaces = all

Change it to the following text so Postfix will only listen on localhost.

inet_interfaces = loopback-only

Save and close the file. Then create the /etc/postfix/sasl_passwd file.

sudo nano /etc/postfix/sasl_passwd

Enter the following lines to the file. (Note that if you enabled two-step verification for your Gmail account, you will need to use an App password instead of the normal password.)

smtp.gmail.com:587  [email protected] YourGmailPassword

Save and close the file. Then create the corresponding hash db file with postmap.

sudo postmap /etc/postfix/sasl_passwd

Now you should have a file /etc/postfix/sasl_passwd.db. Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

By default, sasl_passwd and sasl_passwd.db file can be read by any user on the server.  Change the permission to 600 so only root can read and write to these two files.

sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

Email notifications are sent with mailx command, which is provided by the bsd-mailx package.

sudo apt install bsd-mailx

Now you can run the following command to test the SMTP configurations.

echo "this is a test email." | mailx -r from-address -s hello to-address

If SMTP configurations are correct, you will receive an email from your Gmail account.

Email Report

There are 3 possible emails sent by unattended upgrade:

  • Unattended upgrade returned: True.  This means packages are installed successfully.
  • Unattended upgrade returned: False. This means some error happened when installing updates. Usually requires human intervention. If you receive this email, you need to manually run sudo apt upgrade.
  • Unattended upgrade returned: None. There are updates available, but the system refused to install them.

Logs

Logs can be found in /var/log/unattended-upgrades/ directory.

Check Restart

The checkrestart command can help you find out which processes need to be restarted after an upgrade. It is available from debian-goodies package.

sudo apt install debian-goodies

sudo checkrestart

That’s it! I hope this tutorial helped you set up unattended upgrades on Ubuntu 18.04 server.

Rate this tutorial
[Total: 5 Average: 3.6]

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • If my answer helped you, please consider supporting this site. Thanks :)