33. Implement automatic security updates

by Double Bastion - Updated December 22, 2021

Since we recommend to perform a manual update for all the packages that are not security related, once every four weeks, it’s important to understand that performing the security updates manually, with the same frequency, is not appropriate. If you apply the security updates only once a month, this may leave the system vulnerable for days or even weeks. To overcome this problem, we recommend that you apply the ‘regular’ updates once every 4 weeks to be able to see what is updated and all the notes, warnings, errors, that can show up during such updates, but apply the security updates automatically, immediately after they are released, by using the unattended-upgrades and apt-listchanges packages.

Thus, first install the needed packages:

apt-get update
apt-get install apt-listchanges
apt-get install unattended-upgrades

If the /etc/apt/apt.conf.d/20auto-upgrades file doesn’t exist, uninstall unattended-upgrades (running apt-get purge unattended-upgrades), then install it again. Open the /etc/apt/apt.conf.d/20auto-upgrades file:

nano /etc/apt/apt.conf.d/20auto-upgrades

Make sure this file contains the following lines:

APT::Periodic::Update-Package-Lists “1”;
APT::Periodic::Unattended-Upgrade “1”;

These two lines mean: do an apt-get update and an apt-get upgrade every day.

Next edit the /etc/apt/apt.conf.d/50unattended-upgrades file:

nano /etc/apt/apt.conf.d/50unattended-upgrades

Make sure you have the following settings inside:

Unattended-Upgrade::Origins-Pattern {
// “origin=Debian,codename=${distro_codename},label=Debian”;

Unattended-Upgrade::Package-Blacklist {


Unattended-Upgrade::Mail “admin@example.com“;

Replace admin@example.com with the email address where you want to receive emails regarding security updates.

As you can see, we commented out the line for regular updates and we left enabled only the line for security updates. We didn’t include any packages on the blacklist to be skipped by the update process. We also configured unattended-upgrade to send emails to the admin email address after performing an update. As the notes in this file state, for unattended-upgrade to be able to send emails, we have to have a package that provides the mailx application installed on the server. So install bsd-mailx by running:

apt-get install bsd-mailx

This will be enough to allow unattended-upgrades to send emails to the configured address. If you want to have the emails sent to multiple addresses just enter them one after the other separated by commas, like this:

Unattended-Upgrade::Mail “admin@example.com, admin2@domain.net“;

If you want to receive emails only when errors occur, set the MailOnlyOnError parameter to true like this:

Unattended-Upgrade::MailOnlyOnError “true”;

Next open the /etc/apt/listchanges.conf file:

nano /etc/apt/listchanges.conf

Make sure the content of this file looks as follows:


Replace admin@example.com with the email address you used in the /etc/apt/apt.conf.d/50unattended-upgrades file.

unattended-upgrades runs automatically but you can also run it manually. If you want to see debug information, run it like this:

unattended-upgrades -d

unattended-upgrades logs its activity to: /var/log/unattended-upgrades/unattended-upgrades.log .

Please note that after unattended-upgrades performs some automatic upgrades, it can send you an email informing you that some packages have an ‘upgradable origin’ but have been kept back. This can happen if a new version of a package has a new configuration file and during the upgrade process the admin has to be asked if he wants to keep the old configuration file or replace it with the new one, or when the program decides that it’s better to upgrade some packages manually. The message will look similar to this:

Unattended upgrade result: All upgrades installed

Packages that were upgraded:

Packages with upgradable origin but kept back:

In this case, you should log in to your server and perform the upgrade manually by running:

apt-get update

apt-get dist-upgrade

As mentioned, for certain packages you may be asked if you want to keep the old configuration file or install the new one. You should answer that you want to keep the old configuration file, so as not to loose the configuration changes that you made in that file.

After certain automatic upgrades, unattended-upgrades will inform you that a reboot will be required to complete the upgrades. The email will begin like this:

Unattended upgrade result: All upgrades installed 

Warning: A reboot is required to complete this upgrade, or a previous one.

In this situation, you should log in to your server and manually reboot the server, preferably at a moment when the short interruption of services caused by the reboot, will not affect the users of those services.

33.1. Stop unattended security updates

If later on you want to stop the automated security updates that you have just configured, run:

dpkg-reconfigure -plow unattended-upgrades

The output will look like this:

Applying updates on a frequent basis is an important part of keeping

 systems secure. By default, updates need to be applied manually using
 package management tools.

 Alternatively, you can choose to have this system automatically download 
 and install security updates.                                                                   

     Automatically download and install stable updates?

Here answer NO to stop the automated updates. Then if you open the /etc/apt/apt.conf.d/20auto-upgrades file:

nano /etc/apt/apt.conf.d/20auto-upgrades

you will see:

APT::Periodic::Update-Package-Lists "0";
APT::Periodic::Unattended-Upgrade "0";