Security updates patch vulnerabilities that could compromise your VPS. unattended-upgrades automatically installs critical security updates (and optionally other updates) on a schedule, keeping your server secure without requiring manual intervention.
Prerequisites
- Ubuntu 18.04+ or Debian 10+
- SSH access with
sudoprivileges - Email configured on the server (optional, for notifications)
Step 1: Install unattended-upgrades
sudo apt update
sudo apt install -y unattended-upgrades apt-listchanges
unattended-upgrades— The automatic updaterapt-listchanges— Shows changelog details (optional, but helpful)
Step 2: Enable the service
Create the configuration file to enable auto-upgrades:
sudo dpkg-reconfigure -plow unattended-upgrades
This automatically enables and starts the service. Or manually:
sudo systemctl enable unattended-upgrades
sudo systemctl start unattended-upgrades
Step 3: Verify it's running
sudo systemctl status unattended-upgrades
Look for active (running).
Also check the log:
sudo tail -f /var/log/unattended-upgrades/unattended-upgrades.log
Step 4 (Optional): Customize auto-upgrade behavior
Edit the configuration file:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Key settings:
Install only security updates (default, recommended):
CODE6
Allow automatic reboots after kernel updates (optional):
CODE7
This reboots at 2:00 AM if a kernel update is installed. Omit this line to require manual reboots.
Allow automatic reboots even if users are logged in (only if necessary):
CODE8
Keep this false to avoid interrupting users; true reboots regardless.
Email notifications on updates:
CODE9
Replace root with your email address. on-change sends mail only if updates were installed.
After editing, save (Ctrl+X, then Y, then Enter in nano).
Step 5 (Optional): Set the update check schedule
Edit the APT periodic configuration:
sudo nano /etc/apt/apt.conf.d/10periodic
Replace the entire file with:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
This:
- Updates the package list daily
- Downloads available upgrades daily
- Removes old downloaded packages after 7 days
- Runs unattended-upgrades daily
For a different schedule (e.g., every 3 days), replace "1" with "3".
Save and exit.
Step 6: Test the configuration
Run a dry-run to see what updates would be applied:
sudo unattended-upgrade -d
The -d flag means "debug mode" (dry-run). No changes are made; it only shows what would happen.
Real-world output:
CODE13
Manual trigger (optional)
Force an immediate update check:
sudo unattended-upgrade -v
The -v flag is verbose; watch the full process.
View update history
See what's been installed:
grep -i "upgrade" /var/log/unattended-upgrades/unattended-upgrades.log
Or use apt history:
grep " install " /var/log/apt/history.log | tail -10
Disable automatic updates (if needed)
To temporarily disable:
sudo systemctl stop unattended-upgrades
sudo systemctl disable unattended-upgrades
To re-enable:
sudo systemctl enable unattended-upgrades
sudo systemctl start unattended-upgrades
RHEL/CentOS equivalent
If you're on RHEL or CentOS, use dnf-automatic instead:
sudo dnf install -y dnf-automatic
sudo systemctl enable dnf-automatic.timer
sudo systemctl start dnf-automatic.timer
Edit /etc/dnf/automatic.conf to configure behavior.
Tips
- Kernel updates require reboots: Security kernel patches need a reboot to take effect. Enable
Automatic-Rebootif you can tolerate scheduled downtime, or manually reboot after seeing updates in the log. - Avoid production downtimes: If your VPS runs critical services, schedule reboots during maintenance windows (e.g., 2 AM) to minimize user impact.
- Test on staging first: In a test environment, enable all updates (not just security) to see the impact before rolling out.
- Monitor the log: Check
/var/log/unattended-upgrades/unattended-upgrades.logweekly to ensure updates are running. - Email delivery: If you receive no emails, check that your VPS's mail system (exim, postfix) is working:
echo "test" | mail -s "test" rootand check/var/log/mail.log.
Automatic security updates are now enabled. Your VPS will stay patched without manual effort.