Security vulnerabilities are the biggest threat for any server operator. That’s why it’s essential to always keep your system up-to-date. Of course, this can also be automated, which I’d like to demonstrate here using Debian as an example.

Auto-updates can also be dangerous, as they might lead to issues or incompatible updates. Some updates require manual intervention afterward.

This warning is highlighted in red for a reason. That’s why we won’t automatically update all packages on our system, but only packages with critical security updates. For feature-only updates, you’ll still have to do it yourself. This way, you can intervene directly to make corrections in case of major changes.

unattended-upgrades

Installation and Configuration

Debian offers its own method for automatic updates. To do this, you install the packages unattended-upgrades and apt-listchanges.

sudo apt-get install unattended-upgrades apt-listchanges

When these packages are installed, the files 20auto-upgrades and 50unattended-upgrades are created in the /etc/apt/apt.conf.d/ directory. Since these can be overwritten during updates, we’ll create and populate our own configuration file.

sudo nano /etc/apt/apt.conf.d/51my-unattended-upgrades

Afterward, you can check if everything is working with the following command. This will only simulate the process. If it runs without any error messages, you can proceed.

This should make your server regularly check for and install security updates. Important: If a restart is necessary, the system will be rebooted. So, plan your services to start automatically.