Skip to main content

Why This Matters

It is critical to keep a server updated with the latest security patches. Without timely updates, your server remains vulnerable to known security exploits that attackers actively scan for and exploit. Unless you plan on checking your server daily, you need:
  1. Automatic updates for critical security patches
  2. Email alerts for pending non-critical updates
You don’t want to automatically apply ALL updates because:
  • Every update carries some risk of breaking functionality
  • Critical security patches should be applied immediately
  • Non-critical updates can wait for manual review
Potential Risk: Automatic unattended updates may break your system, and you may not be near your server to fix it. This is especially problematic if SSH access breaks.Weigh this risk against the security risk of running unpatched systems.

Debian Based Systems

Your server must be able to send emails for notifications to work. See the Gmail/Exim4 configuration guide if you haven’t set up email yet.

How It Works

On Debian systems, we’ll use:
  • unattended-upgrades - Automatically applies system updates you specify (critical security patches)
  • apt-listchanges - Shows details about package changes before installation
  • apticron - Sends email notifications for pending package updates

Installation

1

Install required packages

sudo apt install unattended-upgrades apt-listchanges apticron
2

Configure unattended-upgrades

Instead of modifying the default configuration files (which may be overwritten during updates), create a new file:Create /etc/apt/apt.conf.d/51myunattended-upgrades with this content:
// Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "1";

// Do "apt-get update" automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";

// Do "apt-get upgrade --download-only" every n-days (0=disable)
APT::Periodic::Download-Upgradeable-Packages "1";

// Do "apt-get autoclean" every n-days (0=disable)
APT::Periodic::AutocleanInterval "7";

// Send report mail to root
//     0:  no report             (or null string)
//     1:  progress report       (actually any string)
//     2:  + command outputs     (remove -qq, remove 2>/dev/null, add -d)
//     3:  + trace on
APT::Periodic::Verbose "2";
APT::Periodic::Unattended-Upgrade "1";

// Automatically upgrade packages from these
Unattended-Upgrade::Origins-Pattern {
      "o=Debian,a=stable";
      "o=Debian,a=stable-updates";
      "origin=Debian,codename=${distro_codename},label=Debian-Security";
};

// You can specify your own packages to NOT automatically upgrade here
Unattended-Upgrade::Package-Blacklist {
};

// Run dpkg --force-confold --configure -a if a unclean dpkg state is detected
Unattended-Upgrade::AutoFixInterruptedDpkg "true";

// Perform the upgrade when the machine is running
Unattended-Upgrade::InstallOnShutdown "false";

// Send an email to this address with information about the packages upgraded
Unattended-Upgrade::Mail "root";

// Always send an e-mail
Unattended-Upgrade::MailOnlyOnError "false";

// Remove all unused dependencies after the upgrade has finished
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Remove any new unused dependencies after the upgrade has finished
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Automatically reboot WITHOUT CONFIRMATION if the file /var/run/reboot-required is found
Unattended-Upgrade::Automatic-Reboot "true";

// Automatically reboot even if users are logged in
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
3

Test the configuration

Run a dry-run to verify your configuration:
sudo unattended-upgrade -d --dry-run
If there are no errors, the configuration is correct. To run it immediately:
sudo unattended-upgrade -d
4

Configure apt-listchanges

Configure apt-listchanges to your preferences:
sudo dpkg-reconfigure apt-listchanges
Follow the prompts to set your email and notification preferences.
5

Configure apticron

The default settings are good, but you can customize them in /etc/apticron/apticron.conf.Example configuration:
EMAIL="root"
NOTIFY_NO_UPDATES="1"
This will:
  • Send emails to root
  • Notify even when there are no updates (so you know it’s working)

Understanding the Configuration

APT::Periodic Options

These control how often automated tasks run:
OptionValueDescription
Update-Package-Lists1Update package lists daily
Download-Upgradeable-Packages1Download updates daily
AutocleanInterval7Clean old packages weekly
Unattended-Upgrade1Apply upgrades daily

Unattended-Upgrade Options

OptionSettingDescription
Origins-PatternDebian stable, stable-updates, securityWhich repositories to auto-upgrade from
Package-BlacklistEmptyPackages to never auto-upgrade
MailrootEmail address for notifications
MailOnlyOnErrorfalseSend email for all upgrades, not just errors
Automatic-ReboottrueAutomatically reboot if kernel updated
Automatic-Reboot-WithUserstrueReboot even with users logged in
Automatic Reboot SettingsThe configuration includes automatic reboots when necessary (e.g., kernel updates). This ensures security patches are fully applied, but means your server may reboot unexpectedly.If you prefer manual reboots, change:
Unattended-Upgrade::Automatic-Reboot "false";

Blacklisting Packages

To prevent specific packages from being automatically upgraded, add them to the blacklist: 
Unattended-Upgrade::Package-Blacklist {
    "nginx";
    "apache2";
    "postgresql";
};

Monitoring

Check Upgrade Logs

View what unattended-upgrades has done: 
sudo cat /var/log/unattended-upgrades/unattended-upgrades.log

Check Last Run

sudo cat /var/log/unattended-upgrades/unattended-upgrades-dpkg.log

Check for Pending Updates

sudo apt update
apt list --upgradable

What This Does

With automatic updates configured:

Security Patches

Critical security updates are applied automatically within 24 hours

Email Notifications

You receive emails about all updates and system changes

Stable Updates

Only tested, stable updates are applied automatically

System Cleanup

Old packages are automatically cleaned up weekly

Troubleshooting

Not Receiving Emails

  1. Verify your mail configuration: 
    echo "Test" | mail -s "Test Email" root
  2. Check mail logs: 
    sudo tail -f /var/log/mail.log

Updates Not Running

  1. Check the systemd timer: 
    sudo systemctl status apt-daily-upgrade.timer
sudo systemctl status apt-daily.timer
  2. Manually trigger an update: 
    sudo unattended-upgrade -d

Checking What Will Be Upgraded

sudo unattended-upgrade --dry-run -d
The configuration files in /etc/apt/apt.conf.d/ are processed in numerical order. Our custom file 51myunattended-upgrades overrides settings from the default 50unattended-upgrades.

Build docs developers (and LLMs) love

Get started for freeTalk to us