• Home
  • linux
  • How to keep Debian Linux patched with latest security updates automatically

How to keep Debian Linux patched with latest security updates automatically

msrxp linux, training January 3, 2018

H

ow do I keep my server/cloud computer powered by Debian Linux 9.x or 8.x current with the latest security updates automatically? Is there is a tool to update security patched automatically?

 

Yes, you can download and install all security updates/upgraded automatically in the background. It is done in an unattended way and installs security updates for you.

Why do I need an unattended way and installs security updates

Applying updates on a frequent basis is an important part of keeping systems secure. By default, updates need to be applied manually using package management tools. However, you can choose to have Debian automatically download and install important security updates. This guide shows you how to automatically download and install stable updates and security patches for Debian Linux server.

Installation

Type the following apt command or apt-get command to install unattended-upgrades package. You must install traditional simple command-line-mode mail user agent using bsd-mailx to get email notification. The tool apt-listchanges can compare a new version of a package with the one currently installed and show what has been changed, by extracting the relevant entries from the Debian changelog and NEWS files. The apt-listchanges will email you changes too. Let us install all of them:

$ sudo apt install unattended-upgrades apt-listchanges bsd-mailx

 

OR

$ sudo apt-get install unattended-upgrades apt-listchanges bsd-mailx

 

Sample outputs:

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following packages will be REMOVED:

unattended-upgrades*

0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.

After this operation, 252 kB disk space will be freed.

Do you want to continue? [Y/n] y

(Reading database … 28679 files and directories currently installed.)

Removing unattended-upgrades (0.93.1+nmu1) …

Processing triggers for man-db (2.7.6.1-2) …

(Reading database … 28649 files and directories currently installed.)

Purging configuration files for unattended-upgrades (0.93.1+nmu1) …

dpkg: warning: while removing unattended-upgrades, directory  /var/log/unattended-upgrades  not empty so not removed

Processing triggers for systemd (232-25) …

root@vpngateway:~# apt-get clean

root@vpngateway:~# apt-get autoclean

Reading package lists… Done

Building dependency tree

Reading state information… Done

root@vpngateway:~#

root@vpngateway:~# apt-get install unattended-upgrades apt-listchanges bsd-mailx

Reading package lists… Done

Building dependency tree

Reading state information… Done

apt-listchanges is already the newest version (3.10).

The following additional packages will be installed:

exim4-base exim4-config exim4-daemon-light liblockfile1 psmisc

Suggested packages:

eximon4 exim4-doc-html | exim4-doc-info spf-tools-perl swaks needrestart

The following NEW packages will be installed:

bsd-mailx exim4-base exim4-config exim4-daemon-light liblockfile1 psmisc unattended-upgrades

0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.

Need to get 2,298 kB of archives.

After this operation, 4,858 kB of additional disk space will be used.

Do you want to continue? [Y/n] y

Get:1 http://mirrors.linode.com/debian stretch/main amd64 liblockfile1 amd64 1.14-1+b1 [15.7 kB]

Get:2 http://security.debian.org/debian-security stretch/updates/main amd64 exim4-config all 4.89-2+deb9u1 [377 kB]

Get:3 http://mirrors.linode.com/debian stretch/main amd64 bsd-mailx amd64 8.1.2-0.20160123cvs-4 [87.0 kB]

Get:4 http://mirrors.linode.com/debian stretch/main amd64 psmisc amd64 22.21-2.1+b2 [123 kB]

Get:5 http://mirrors.linode.com/debian stretch/main amd64 unattended-upgrades all 0.93.1+nmu1 [61.7 kB]

Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 exim4-base amd64 4.89-2+deb9u1 [1,093 kB]

Get:7 http://security.debian.org/debian-security stretch/updates/main amd64 exim4-daemon-light amd64 4.89-2+deb9u1 [541 kB]

Fetched 2,298 kB in 0s (19.5 MB/s)

Preconfiguring packages …

Selecting previously unselected package liblockfile1:amd64.

(Reading database … 28642 files and directories currently installed.)

Preparing to unpack …/0-liblockfile1_1.14-1+b1_amd64.deb …

Unpacking liblockfile1:amd64 (1.14-1+b1) …

Selecting previously unselected package exim4-config.

Preparing to unpack …/1-exim4-config_4.89-2+deb9u1_all.deb …

Unpacking exim4-config (4.89-2+deb9u1) …

Selecting previously unselected package exim4-base.

Preparing to unpack …/2-exim4-base_4.89-2+deb9u1_amd64.deb …

Unpacking exim4-base (4.89-2+deb9u1) …

Selecting previously unselected package exim4-daemon-light.

Preparing to unpack …/3-exim4-daemon-light_4.89-2+deb9u1_amd64.deb …

Unpacking exim4-daemon-light (4.89-2+deb9u1) …

Selecting previously unselected package bsd-mailx.

Preparing to unpack …/4-bsd-mailx_8.1.2-0.20160123cvs-4_amd64.deb …

Unpacking bsd-mailx (8.1.2-0.20160123cvs-4) …

Selecting previously unselected package psmisc.

Preparing to unpack …/5-psmisc_22.21-2.1+b2_amd64.deb …

Unpacking psmisc (22.21-2.1+b2) …

Selecting previously unselected package unattended-upgrades.

Preparing to unpack …/6-unattended-upgrades_0.93.1+nmu1_all.deb …

Unpacking unattended-upgrades (0.93.1+nmu1) …

Setting up psmisc (22.21-2.1+b2) …

Setting up exim4-config (4.89-2+deb9u1) …

Adding system-user for exim (v4)

Setting up liblockfile1:amd64 (1.14-1+b1) …

Setting up exim4-base (4.89-2+deb9u1) …

exim: DB upgrade, deleting hints-db

Processing triggers for libc-bin (2.24-11+deb9u1) …

Processing triggers for systemd (232-25) …

Setting up unattended-upgrades (0.93.1+nmu1) …

 

Creating config file /etc/apt/apt.conf.d/20auto-upgrades with new version

 

Creating config file /etc/apt/apt.conf.d/50unattended-upgrades with new version

Created symlink /etc/systemd/system/multi-user.target.wants/unattended-upgrades.service ? /lib/systemd/system/unattended-upgrades.service.

Synchronizing state of unattended-upgrades.service with SysV service script with /lib/systemd/systemd-sysv-install.

Executing: /lib/systemd/systemd-sysv-install enable unattended-upgrades

Processing triggers for man-db (2.7.6.1-2) …

Setting up exim4-daemon-light (4.89-2+deb9u1) …

Initializing GnuTLS DH parameter file

Setting up bsd-mailx (8.1.2-0.20160123cvs-4) …

update-alternatives: using /usr/bin/bsd-mailx to provide /usr/bin/mailx (mailx) in auto mode

Processing triggers for systemd (232-25) …

Configuration file

You need to edit the file named /etc/apt/apt.conf.d/50unattended-upgrades

$ sudo vi /etc/apt/apt.conf.d/50unattended-upgrades

 

OR

$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

 

The following controls which packages are upgraded in config file:

Unattended-Upgrade::Origins-Pattern {

// Codename based matching:

// This will follow the migration of a release through different

// archives (e.g. from testing to stable and later oldstable).

//       o=Debian,n=jessie ;

//       o=Debian,n=jessie-updates ;

//       o=Debian,n=jessie-proposed-updates ;

//       o=Debian,n=jessie,l=Debian-Security ;

origin=Debian,codename=${distro_codename},label=Debian-Security ;

};

You can skip packages from updates too (for example nginx or linux kernel image):

Unattended-Upgrade::Package-Blacklist {

nginx ;

linux-image* ;

};

You need to configure an email address to get email when there is a problem or package upgrades. Of course you must have working email setup to this work:

Unattended-Upgrade::Mail  notify@server1.cyberciti.biz ;

 

Or at least send it to root user on the same system:

Unattended-Upgrade::Mail  root ;

 

Save and close the file. To activate unattended-upgrades, you need to make that the apt configuration has the following two lines. Use the cat command to view info:

$ cat /etc/apt/apt.conf.d/20auto-upgrades

 

Sample outputs:

APT::Periodic::Update-Package-Lists  1 ;

APT::Periodic::Unattended-Upgrade  1 ;

It is possible to update or create this file using the following command:

$ sudo dpkg-reconfigure -plow unattended-upgrades

 

Sample outputs:

Fig.01 Activate unattended-upgrades using command line

 

And

Fig.02 Activate unattended-upgrades using command line

 

Finally edit the file named /etc/apt/listchanges.conf using a text editor such as vim command/nano command:

$ sudo vi /etc/apt/listchanges.conf

 

Set email address from:

email_address=root

 

To:

email_address=notify@server1.cyberciti.biz

 

Save and close the file. For more info see Unattended Upgrades.

This entry is 2 of 2 in the Applying Debian Security Updates/Patches series. Keep reading the rest of the series:

How to apply Debian security patches

How to keep Debian Linux patched with latest security updates automatically

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

X
How to keep Debian Linux patched with latest security updates automatically

  • info@shopingserver.com

    Online Support

  • 0015672054520

    Mon-Fri 8am-5pm
Purchase Now