How to Configure Automated Security Updates on Debian 11

How to Configure Automated Security Updates on Debian 11

Are you looking for a tutorial on how to configure automated security updates on Debian 11? Then this guide will show you how to set it up.

Security is always a top concern in our digital world. It’s also one of the reasons people decide to use Linux over Windows. To keep your system secure, it should always be up to date. Especially in the case of security updates.

Manually installing security updates can be a pain sometimes. Hence, the idea of automated security updates. We will show you how to configure it for your Debian device.

Let’s get started!

Configure Automated Security Updates on Debian 11

We will first update our system. To do that, simply run this command:

$ sudo apt update && sudo apt upgrade

Output:

update system

Once the source list is updated, we will install a package called unattended-upgrades. It automatically keeps your computer updated with the latest security and other updates. Install the package using this command:

$ sudo apt install unattended-upgrades

Output:

install unattended-upgrades

Usually, it’s installed by default since Debian 9, as you can see from the above screenshot. If it’s not in your case, the above command will install it.

After that, you need to check whether the package works as intended. For that, run this command:

$ sudo unattended-upgrades --dry-run --debug

Output:

unattended-upgrades debug

You will notice some random messages, but there’s nothing to worry about. If the output matches, this picture properly, then it’s working fine.

After that’s done, we need to start and enable it. You can do that with the below commands:

$ sudo systemctl enable unattended-upgrades
$ sudo systemctl start unattended-upgrades

Now let’s check the status of unattended-upgrades. We can do that by running this command:

$ sudo systemctl status unattended-upgrades.service

Output:

unattended-upgrades status

The green ‘active (running)’ indicates that it’s running.

Modify the Configuration File of the Unattended Upgrades

In this step, we need to modify the config file of unattended-upgrades. You can use any tewxt editor of your liking. We will use nano. To open the configuration file in Nano, run this command:

$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Output:

Modify the Configuration File of the Unattended Upgrades

The double forward slashes you see are used for comments. That means those lines are there for documentation purposes and won’t execute. Scroll down until you find these lines:

"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";

In case these lines are commented out, remove the forward slashes to uncomment them.

Modify the Configuration File of the Unattended Upgrades

Save the file with ‘Ctrl + O’ and exit with ‘Ctrl + X’.

Enable Unattended Upgrades on Debian 11

Once you’re done modifying the config file, it’s now time to enable the automated security updates. You can do that in 2 ways. Let’s check out both.

Automatic call via /etc/apt/apt.conf.d/20auto-upgrades

For an automatic call of unattended-upgrades, we will create the file /etc/apt/apt.conf.d/20auto-upgrades. The file should have the below two lines:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

One simple way to create the file is to run this command:

$ sudo dpkg-reconfigure --priority=low unattended-upgrades

It will show a popup window. Use the arrow keys to choose between the ‘Yes’ and ‘No’ options. To enable it, we need to choose ‘Yes’. Do that and hit ‘Enter’.

Configure Automated Security Updates on Debian 11

After pressing ‘Enter’, you should get the following message:

Creating config file /etc/apt/apt.conf.d/20auto-upgrades with new version

Output:

Configure Automated Security Updates on Debian 11

If you prefer creating the file non-interactively, then run this command instead:

$ echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
$ sudo dpkg-reconfigure -f noninteractive unattended-upgrades

Automatic call via /etc/apt/apt.conf.d/02periodic

This is an alternative way of activating unattended-upgrades. Create the file in a text editor. To create it in nano, run this command:

$ sudo nano /etc/apt/apt.conf.d/02periodic

Here’s a sample configuration from the Debian wiki:

// Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "1";

// Do "apt-get update" automatically every n-days (0=disable)

APT::Periodic::Update-Package-Lists "1";

// Do "apt-get upgrade --download-only" every n-days (0=disable)

APT::Periodic::Download-Upgradeable-Packages "1";

// Run the "unattended-upgrade" security upgrade script

// every n-days (0=disabled)

// Requires the package "unattended-upgrades" and will write

// a log in /var/log/unattended-upgrades

APT::Periodic::Unattended-Upgrade "1";

// Do "apt-get autoclean" every n-days (0=disable)

APT::Periodic::AutocleanInterval "21";

// Send report mail to root

//     0:  no report             (or null string)

//     1:  progress report       (actually any string)

//     2:  + command outputs     (remove -qq, remove 2>/dev/null, add -d)

//     3:  + trace on

APT::Periodic::Verbose "2";

Blacklist Packages From Upgrading

In the configuration file, we can manually add packages in the Package-Blacklist section to block them from upgrading. For that, you need to add the package name in that section, like this:

Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux-

//  "linux-";

    "nginx";

    "nano";

    // Use $ to explicitely define the end of a package name. Without

    // the $, "libc6" would match all of them.

//  "libc6$";

//  "libc6-dev$";

//  "libc6-i686$";

    // Special characters need escaping

//  "libstdc\+\+6$";

    // The following matches packages like xen-system-amd64, xen-utils-4.1,

    // xenstore-utils and libxenstore3.0

//  "(lib)?xen(store)?";

    // For more information about Python regular expressions, see

    // https://docs.python.org/3/howto/regex.html

};
Blacklist Packages From Upgrading

Disable Unattended Upgrades on Debian 11

If you decide to disable it, simply run the reconfigure command again, like this:

$ sudo dpkg-reconfigure --priority=low unattended-upgrades

Then choose ‘No’ and press ‘Enter’.

Disable Unattended Upgrades on Debian 11

You should get the below message:

Replacing config file /etc/apt/apt.conf.d/20auto-upgrades with new version

Output:

Disable Unattended Upgrades on Debian 11

This means that you’ve turned off unattended-upgrades which in turn will turn off automatic security updates. Unless there’s a need for this (such as disabling APT News) or you know what you’re doing, we don’t recommend you disable this setting.

Final Thoughts

This tutorial shows you how to configure automated security updates on Debian 11. We’ve covered the installation process, how to edit the configuration file, how to set up the automatic updates, how to block specific package updates, and how to disable the automatic security update as a whole. 

That’s it for this guide. If you’re stuck somewhere or getting errors, let us know in the comments below.

If this guide helped you, please share it.

Related Posts