Setup & Configure Unattended Upgrades on Ubuntu 20.04

In this tutorial, we are going to go through a series of steps that will help secure your server to best protect against hackers and hack attempts without going into complex topics.

Setup & Configure Unattended Upgrades on Ubuntu 20.04

making sure the server is up to date is essential. By default, Ubuntu is not set up for automatic updates. But we can enable unattended-upgrades easily.

1. Make sure we are uo to date

$ sudo apt-get update && sudo apt-get upgrade -y

2. Install the Unattended-Upgrades Package

This is probably al;ready installed, but let's make sure.

$ sudo apt install unattended-upgrades -y

3. Install the apt-config-auto-update package

This will make sure the server reboots after upgrades happen.

$ sudo apt install apt-config-auto-update -y

Now check to see if it worked:

$ sudo systemctl status unattended-upgrades

Sample Output:

    unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2022-01-17 08:33:06 UTC; 1 day 5h ago
       Docs: man:unattended-upgrade(8)
   Main PID: 815 (unattended-upgr)
      Tasks: 2 (limit: 9504)
     Memory: 11.8M
     CGroup: /system.slice/unattended-upgrades.service
             └─815 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

Hit [CTRL]-C to exit back to a command prompt.

4. Configure Unattended Upgrades

Open the configuration file:

$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Uncomment the following line to include regular package updates that are off by default:

//      "${distro_id}:${distro_codename}-updates";

Should now look like this:

"${distro_id}:${distro_codename}-updates";

Now we will remove unused dependencies when we update. This will remove dependencies that are no longer needed when you do an automatic update.

Change this section:

// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

to this

// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

Note, we took out the comments on the third, sixth and thenth lines, and we changed false to true on the last line.

Hint: If you are new to the nano editor, you can make deleting entire lines faster by positioning the cursor on a line and hitting [CRTL]-K

Now find this line:

//Unattended-Upgrade::Automatic-Reboot "false";

and uncomment it and change false to true so it looks like this:

Unattended-Upgrade::Automatic-Reboot "true";

Finally, find this line:

//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

and uncomment it so it looks like this:

Unattended-Upgrade::Automatic-Reboot-Time "02:00";

Now save the file by hitting [CTRL-X] then Y, then [ENTER]

Now we have another file to configure:

$ sudo nano /etc/apt/apt.conf.d/20auto-upgrades

Edit the file so it looks like this:

APT::Periodic::Update-Package-Lists "3";
APT::Periodic::Download-Upgradeable-Packages "3";
APT::Periodic::AutocleanInterval "3";
APT::Periodic::Unattended-Upgrade "3";

Here we have said that we want to go through this process of checking updates every three days.

Now save the file by hitting [CTRL-X] then Y, then [ENTER]

5. Start & Enable the Service

Now let's start the service:

sudo systemctl start unattended-upgrades

and make sure it always starts when the server boots:

sudo systemctl enable unattended-upgrades

and finally make sure we are running smoothly:

sudo systemctl status unattended-upgrades

The output should look something like this:

Unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2022-01-17 08:33:06 UTC; 1 day 6h ago
       Docs: man:unattended-upgrade(8)
   Main PID: 815 (unattended-upgr)
      Tasks: 2 (limit: 9504)
     Memory: 11.8M
     CGroup: /system.slice/unattended-upgrades.service
             └─815 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

Hit [CTRL]-C to exit back to a command prompt.

If you see an error, you probably made a typo in one of the config files.

6. Checking Logs

After a few weeks, you may want to see a log of unattended upgrades done. You well see them here:

/var/log/unattended-upgrades/




Blog Comments powered by Disqus.