Are you looking for a tutorial on how to configure automated security updates on Debian 11? Then this guide will show you how to set it up.
Security is always a top concern in our digital world. It’s also one of the reasons people decide to use Linux over Windows. To keep your system secure, it should always be up to date. Especially in the case of security updates.
Manually installing security updates can be a pain sometimes. Hence, the idea of automated security updates. We will show you how to configure it for your Debian device.
Let’s get started!
Configure Automated Security Updates on Debian 11
We will first update our system. To do that, simply run this command:
$ sudo apt update && sudo apt upgrade
Output:
Once the source list is updated, we will install a package called unattended-upgrades. It automatically keeps your computer updated with the latest security and other updates. Install the package using this command:
$ sudo apt install unattended-upgrades
Output:
Usually, it’s installed by default since Debian 9, as you can see from the above screenshot. If it’s not in your case, the above command will install it.
After that, you need to check whether the package works as intended. For that, run this command:
$ sudo unattended-upgrades --dry-run --debug
Output:
You will notice some random messages, but there’s nothing to worry about. If the output matches, this picture properly, then it’s working fine.
After that’s done, we need to start and enable it. You can do that with the below commands:
$ sudo systemctl enable unattended-upgrades
$ sudo systemctl start unattended-upgrades
Now let’s check the status of unattended-upgrades. We can do that by running this command:
$ sudo systemctl status unattended-upgrades.service
Output:
The green ‘active (running)’ indicates that it’s running.
Modify the Configuration File of the Unattended Upgrades
In this step, we need to modify the config file of unattended-upgrades. You can use any tewxt editor of your liking. We will use nano. To open the configuration file in Nano, run this command:
$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Output:
The double forward slashes you see are used for comments. That means those lines are there for documentation purposes and won’t execute. Scroll down until you find these lines:
"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
In case these lines are commented out, remove the forward slashes to uncomment them.
Save the file with ‘Ctrl + O’ and exit with ‘Ctrl + X’.
Enable Unattended Upgrades on Debian 11
Once you’re done modifying the config file, it’s now time to enable the automated security updates. You can do that in 2 ways. Let’s check out both.
Automatic call via /etc/apt/apt.conf.d/20auto-upgrades
For an automatic call of unattended-upgrades, we will create the file /etc/apt/apt.conf.d/20auto-upgrades. The file should have the below two lines:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
One simple way to create the file is to run this command:
$ sudo dpkg-reconfigure --priority=low unattended-upgrades
It will show a popup window. Use the arrow keys to choose between the ‘Yes’ and ‘No’ options. To enable it, we need to choose ‘Yes’. Do that and hit ‘Enter’.
After pressing ‘Enter’, you should get the following message:
Creating config file /etc/apt/apt.conf.d/20auto-upgrades with new version
Output:
If you prefer creating the file non-interactively, then run this command instead:
$ echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
$ sudo dpkg-reconfigure -f noninteractive unattended-upgrades
Automatic call via /etc/apt/apt.conf.d/02periodic
This is an alternative way of activating unattended-upgrades. Create the file in a text editor. To create it in nano, run this command:
$ sudo nano /etc/apt/apt.conf.d/02periodic
Here’s a sample configuration from the Debian wiki:
// Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "1";
// Do "apt-get update" automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";
// Do "apt-get upgrade --download-only" every n-days (0=disable)
APT::Periodic::Download-Upgradeable-Packages "1";
// Run the "unattended-upgrade" security upgrade script
// every n-days (0=disabled)
// Requires the package "unattended-upgrades" and will write
// a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";
// Do "apt-get autoclean" every n-days (0=disable)
APT::Periodic::AutocleanInterval "21";
// Send report mail to root
// 0: no report (or null string)
// 1: progress report (actually any string)
// 2: + command outputs (remove -qq, remove 2>/dev/null, add -d)
// 3: + trace on
APT::Periodic::Verbose "2";
Blacklist Packages From Upgrading
In the configuration file, we can manually add packages in the Package-Blacklist section to block them from upgrading. For that, you need to add the package name in that section, like this:
Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux-
// "linux-";
"nginx";
"nano";
// Use $ to explicitely define the end of a package name. Without
// the $, "libc6" would match all of them.
// "libc6$";
// "libc6-dev$";
// "libc6-i686$";
// Special characters need escaping
// "libstdc\+\+6$";
// The following matches packages like xen-system-amd64, xen-utils-4.1,
// xenstore-utils and libxenstore3.0
// "(lib)?xen(store)?";
// For more information about Python regular expressions, see
// https://docs.python.org/3/howto/regex.html
};
Disable Unattended Upgrades on Debian 11
If you decide to disable it, simply run the reconfigure command again, like this:
$ sudo dpkg-reconfigure --priority=low unattended-upgrades
Then choose ‘No’ and press ‘Enter’.
You should get the below message:
Replacing config file /etc/apt/apt.conf.d/20auto-upgrades with new version
Output:
This means that you’ve turned off unattended-upgrades which in turn will turn off automatic security updates. Unless there’s a need for this (such as disabling APT News) or you know what you’re doing, we don’t recommend you disable this setting.
Final Thoughts
This tutorial shows you how to configure automated security updates on Debian 11. We’ve covered the installation process, how to edit the configuration file, how to set up the automatic updates, how to block specific package updates, and how to disable the automatic security update as a whole.
That’s it for this guide. If you’re stuck somewhere or getting errors, let us know in the comments below.
If this guide helped you, please share it.