Security

Automatic Security Updates

How to configure automatic security updates on Debian, Ubuntu and CentOS

Keeping your system updated is the simplest and most effective security measure. Automatic security updates apply critical patches without manual intervention.

Debian / Ubuntu: unattended-upgrades

Installation

apt install unattended-upgrades -y

Interactive Configuration

dpkg-reconfigure --priority=low unattended-upgrades

Answer Yes to enable automatic updates.

Manual Configuration

nano /etc/apt/apt.conf.d/50unattended-upgrades

Recommended configuration:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}";
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
    "${distro_id}ESM:${distro_codename}-infra-security";
};

// Remove unused dependencies
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Auto-reboot if needed (e.g., kernel update)
// WARNING: server will reboot automatically!
Unattended-Upgrade::Automatic-Reboot "false";

// If you enable auto-reboot, set it during low-traffic hours
Unattended-Upgrade::Automatic-Reboot-Time "04:00";

// Email notification (optional)
// Unattended-Upgrade::Mail "admin@example.com";

Enable the Timer

nano /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";

Verify It Works

# Test without installing anything
unattended-upgrades --dry-run --debug

# Log of executed updates
cat /var/log/unattended-upgrades/unattended-upgrades.log

CentOS / AlmaLinux / Rocky Linux: dnf-automatic

Installation

dnf install dnf-automatic -y

Configuration

nano /etc/dnf/automatic.conf
[commands]
# Download and install only security updates
upgrade_type = security
apply_updates = yes

# Message after updates
emit_via = stdio

# For email notifications (optional)
# emit_via = email
# email_from = root@localhost
# email_to = admin@example.com

Enable the Timer

# Daily updates
systemctl enable --now dnf-automatic.timer

# Verify
systemctl status dnf-automatic.timer
systemctl list-timers | grep dnf

Manual Update (When You Want Control)

Even with automatic updates enabled, it's good practice to periodically do a full manual update:

# Debian/Ubuntu
apt update && apt upgrade -y

# For kernel updates (requires reboot)
apt full-upgrade -y
reboot

# CentOS/AlmaLinux
dnf update -y

Check Available Updates Without Installing

# Debian/Ubuntu
apt list --upgradable

# Security updates only
apt list --upgradable | grep -i security

# CentOS/AlmaLinux
dnf check-update
dnf updateinfo list security

Users and Permissions

How to manage Linux users, groups and file permissions on your server

2FA for SSH with Google Authenticator

How to enable two-factor authentication for SSH on Linux using Google Authenticator or Authy

On this page

Debian / Ubuntu: unattended-upgradesInstallationInteractive ConfigurationManual ConfigurationEnable the TimerVerify It WorksCentOS / AlmaLinux / Rocky Linux: dnf-automaticInstallationConfigurationEnable the TimerManual Update (When You Want Control)Check Available Updates Without Installing