LochStudios  /  Help Centre  /  VPS & Linux  /  Enable Automatic Security Updates (unattended-upgrades)

Enable Automatic Security Updates (unattended-upgrades)

Configure unattended-upgrades on Ubuntu/Debian to install security patches automatically without manual intervention.

Updated

Security updates patch vulnerabilities that could compromise your VPS. unattended-upgrades automatically installs critical security updates (and optionally other updates) on a schedule, keeping your server secure without requiring manual intervention.

Prerequisites

  • Ubuntu 18.04+ or Debian 10+
  • SSH access with sudo privileges
  • Email configured on the server (optional, for notifications)

Step 1: Install unattended-upgrades

sudo apt update
sudo apt install -y unattended-upgrades apt-listchanges
  • unattended-upgrades — The automatic updater
  • apt-listchanges — Shows changelog details (optional, but helpful)

Step 2: Enable the service

Create the configuration file to enable auto-upgrades:

sudo dpkg-reconfigure -plow unattended-upgrades

This automatically enables and starts the service. Or manually:

sudo systemctl enable unattended-upgrades
sudo systemctl start unattended-upgrades

Step 3: Verify it's running

sudo systemctl status unattended-upgrades

Look for active (running).

Also check the log:

sudo tail -f /var/log/unattended-upgrades/unattended-upgrades.log

Step 4 (Optional): Customize auto-upgrade behavior

Edit the configuration file:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Key settings:

Install only security updates (default, recommended):
CODE6

Allow automatic reboots after kernel updates (optional):
CODE7

This reboots at 2:00 AM if a kernel update is installed. Omit this line to require manual reboots.

Allow automatic reboots even if users are logged in (only if necessary):
CODE8

Keep this false to avoid interrupting users; true reboots regardless.

Email notifications on updates:
CODE9

Replace root with your email address. on-change sends mail only if updates were installed.

After editing, save (Ctrl+X, then Y, then Enter in nano).

Step 5 (Optional): Set the update check schedule

Edit the APT periodic configuration:

sudo nano /etc/apt/apt.conf.d/10periodic

Replace the entire file with:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

This:
- Updates the package list daily
- Downloads available upgrades daily
- Removes old downloaded packages after 7 days
- Runs unattended-upgrades daily

For a different schedule (e.g., every 3 days), replace "1" with "3".

Save and exit.

Step 6: Test the configuration

Run a dry-run to see what updates would be applied:

sudo unattended-upgrade -d

The -d flag means "debug mode" (dry-run). No changes are made; it only shows what would happen.

Real-world output:
CODE13

Manual trigger (optional)

Force an immediate update check:

sudo unattended-upgrade -v

The -v flag is verbose; watch the full process.

View update history

See what's been installed:

grep -i "upgrade" /var/log/unattended-upgrades/unattended-upgrades.log

Or use apt history:

grep " install " /var/log/apt/history.log | tail -10

Disable automatic updates (if needed)

To temporarily disable:

sudo systemctl stop unattended-upgrades
sudo systemctl disable unattended-upgrades

To re-enable:

sudo systemctl enable unattended-upgrades
sudo systemctl start unattended-upgrades

RHEL/CentOS equivalent

If you're on RHEL or CentOS, use dnf-automatic instead:

sudo dnf install -y dnf-automatic
sudo systemctl enable dnf-automatic.timer
sudo systemctl start dnf-automatic.timer

Edit /etc/dnf/automatic.conf to configure behavior.

Tips

  • Kernel updates require reboots: Security kernel patches need a reboot to take effect. Enable Automatic-Reboot if you can tolerate scheduled downtime, or manually reboot after seeing updates in the log.
  • Avoid production downtimes: If your VPS runs critical services, schedule reboots during maintenance windows (e.g., 2 AM) to minimize user impact.
  • Test on staging first: In a test environment, enable all updates (not just security) to see the impact before rolling out.
  • Monitor the log: Check /var/log/unattended-upgrades/unattended-upgrades.log weekly to ensure updates are running.
  • Email delivery: If you receive no emails, check that your VPS's mail system (exim, postfix) is working: echo "test" | mail -s "test" root and check /var/log/mail.log.

Automatic security updates are now enabled. Your VPS will stay patched without manual effort.


Was this article helpful?

← Back to VPS & Linux