Configuring Automated Security Updates on Debian
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Keeping your system up-to-date with the latest packages and security updates can be a tedious task. Most users forget to do it, leaving them vulnerable to countless threats. Automate security (and other package) updates with the utility Unattended Upgrades on Debian.
Before You Begin
Complete the Getting Started guide.
Follow the Setting Up and Securing a Compute Instance guide to create a standard user account, and harden SSH access.
Log into your Linode via SSH and update and upgrade.
sudo apt update && sudo apt upgrade
NoteThis guide is written for a non-root user. Commands that require elevated privileges are prefixed withsudo
. If you’re not familiar with thesudo
command, see our Users and Groups guide.
Install Unattended Upgrades
You can set up automated security updates on Debian by installing a helpful utility called unattended-upgrades
.
Install it running the following command:
sudo apt install unattended-upgrades
After the installation completes, you can enable and start the
unattended-upgrades
service by running the following commands:sudo systemctl enable unattended-upgrades sudo systemctl start unattended-upgrades
This ensures that the service runs on system startup and is persistent throughout.
You now need to make changes to the configuration file. The default configuration file can be found here at
/etc/apt/apt.conf.d/50unattended-upgrades
. Open it with the text editor of your choice.
NoteThe unattended-upgrades package ignores lines that start with//
, as that line is considered to be a comment. Therefore, if you want a repository to update automatically, you need to remove//
from that line.
In our example, remove
//
from the “security” line if it’s there,"origin=Debian,codename=${distro_codename},label=Debian-Security";
. This section should look like the following:- File: /etc/apt/apt.conf.d/50unattended-upgrades
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
... Unattended-Upgrade::Origins-Pattern { // Codename based matching: // This will follow the migration of a release through different // archives (e.g. from testing to stable and later oldstable). // Software will be the latest available for the named release, // but the Debian release itself will not be automatically upgraded. // "origin=Debian,codename=${distro_codename}-updates"; // "origin=Debian,codename=${distro_codename}-proposed-updates"; "origin=Debian,codename=${distro_codename},label=Debian"; "origin=Debian,codename=${distro_codename},label=Debian-Security"; // Archive or Suite based matching: // Note that this will silently match a different release after // migration to the specified archive (e.g. testing becomes the // new stable). // "o=Debian,a=stable"; // "o=Debian,a=stable-updates"; // "o=Debian,a=proposed-updates"; // "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports"; }; ...
Blacklisting Packages
The Unattended-Upgrade::Package-Blacklist
section of the configuration file allows you to block upgrades for specific packages.
To block upgrades for specific packages, add the desired package name to the list. In this example, add “apache2” and “vim”:
- File: /etc/apt/apt.conf.d/50unattended-upgrades
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
... Unattended-Upgrade::Package-Blacklist { // The following matches all packages starting with linux- // "linux-"; "apache2"; "vim"; // Use $ to explicitely define the end of a package name. Without // the $, "libc6" would match all of them. // "libc6$"; // "libc6-dev$"; // "libc6-i686$"; // Special characters need escaping // "libstdc\+\+6$"; // The following matches packages like xen-system-amd64, xen-utils-4.1, // xenstore-utils and libxenstore3.0 // "(lib)?xen(store)?"; // For more information about Python regular expressions, see // https://docs.python.org/3/howto/regex.html }; ...
Deleting Dependencies
You can explicitly set up the unattended-upgrades service to remove unused dependencies by changing the Remove-Unused-Kernel-Packages
, Remove-New-Unused-Dependencies
, and Remove-Unused-Dependencies
options to true. Remember to remove //
to uncomment these lines.
- File: /etc/apt/apt.conf.d/50unattended-upgrades
1 2 3 4 5 6 7 8 9 10 11 12 13 14
... // Remove unused automatically installed kernel-related packages // (kernel images, kernel headers and kernel version locked tools). Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; // Do automatic removal of newly unused dependencies after the upgrade Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; // Do automatic removal of unused packages after the upgrade // (equivalent to apt-get autoremove) Unattended-Upgrade::Remove-Unused-Dependencies "true"; ...
Enabling Automatic Upgrades
To enable automatic updates create a new auto-upgrades file: /etc/apt/apt.conf.d/20auto-upgrades
using text editor of your choice.
This file allows you to define how often the auto updates take place.
- File: /etc/apt/apt.conf.d/20auto-upgrades
1 2 3
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::AutocleanInterval "7";
- Update-Package-Lists:
1
enables auto-update,0
disables. - Unattended-Upgrade:
1
enables auto-upgrade,0
disables. - AutocleanInterval: Enables auto clean packages for
X
days. The above configuration displays 7 days- For example, APT::Periodic::AutocleanInterval “7”; means that the system clears the download archive every seven days.
Testing The Configuration
You can perform a dry run to test the configuration. The dry run command runs a test update but no actual changes take place.
You can run the dry run test by using the command:
sudo unattended-upgrades --dry-run --debug
This page was originally published on