Setup Unattended Updates for Debian

Introduction

Keeping your Linux servers up to date with the latest security patches is critical. Fortunately, if you’re running a Debian-based distribution (like Debian or Ubuntu), you can easily automate this process using unattended-upgrades. In this guide, we’ll walk through setting up automatic patching with unattended-upgrades, configuring a schedule for automatic reboots after updates, and setting up msmtp to send email notifications from your local Unix mail account.

Installation

The first step is to install unattended-upgrades, which will automatically install security (and optionally other) updates on your server. Here’s how to do it:

sudo apt-get update
sudo apt-get install unattended-upgrades apt-listchanges

After installation, you’ll want to enable unattended-upgrades:

sudo dpkg-reconfigure --priority=low unattended-upgrades

This will configure your server to automatically install security updates. However, you can customize the configuration to also include regular updates if you prefer.

Configuration

By default, unattended-upgrades runs daily, but you can configure it further by adjusting the automatic reboot settings to ensure that your server reboots after installing updates when necessary.

Automatic Updates

Edit the unattended-upgrades configuration file:

sudo vim /etc/apt/apt.conf.d/50unattended-upgrades

Make sure the file has the following settings to apply both security and regular updates:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}:${distro_codename}-updates";
};

Automatic Reboots

You can also configure the server to automatically reboot after installing updates (useful when kernel updates require a reboot). To do this, add or modify the following lines in the same file:

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

Testing and Dry Runs

To give this a quick test, you can use the following:

# dry run the process
sudo unattended-upgrade --dry-run --verbose

# run the unattended upgrade immediately
sudo unattended-upgrade --verbose

Email Notification

In the same file, you can simply add the email address that you’d like to notify:

Unattended-Upgrade::Mail "your-local-username@localhost";

You may need to configure your Debian machine to be able to send email. For this, we’ll use msmtp, which can relay emails. I use gmail, but you can use any provider.

Configuration

Open up the /etc/msmtprc file. For the password here, I needed to use an “App Password” from Google (specifically).

defaults
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile /var/log/msmtp.log

account gmail
host smtp.gmail.com
port 587
auth on
user your-email@gmail.com
password your-password
from your-email@gmail.com

account default : gmail

Default

You can set msmtp as your default by linking it as sendmail.

sudo ln -sf /usr/bin/msmtp /usr/sbin/sendmail

Testing

Make sure your setup for email is working now by sending yourself a test message:

echo "Test email from msmtp" | msmtp your-local-username@localhost

Conclusion

With unattended-upgrades and msmtp configured, your Debian-based servers will automatically stay up to date with security and software patches, and you’ll receive email notifications whenever updates are applied. Automating patch management is crucial for maintaining the security and stability of your servers, and these simple tools make it easy to manage updates with minimal effort.

Happy patching!