How to Configure Automatic Security Updates for Debian

Securing your web server running WordPress is very important, this tutorial will show you how to automatically install the latest security updates for Debian even while you sleep using the UnattendedUpgrades package. Configuring automatic security updates for your web server hosting WordPress can mean your server is not exploited using some vulnerability. This is highly recommended to prevent any potential headaches like your server going down. It is just like keeping WordPress and its plugins and themes up-to-date, better safe than sorry!

How to Configure Automatic Security Updates for Debian

Install the package unattended-upgrades, set auto updates to true before installing

sudo apt-get update
echo "unattended-upgrades unattended-upgrades/enable_auto_updates boolean true" | debconf-set-selections
sudo apt-get install unattended-upgrades -y

Double check the auto upgrades are enabled

cat /etc/apt/apt.conf.d/20auto-upgrades

You should see these two values set to 1 meaning they are enabled

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

If the file is empty or doesn’t exist you can tell unattended-upgrades to create it with this command

sudo dpkg-reconfigure --priority=low unattended-upgrades

To add custom origins for packages, I found this useful snippet.

Enter your apt lists directory

ls -ls /var/lib/apt/lists

I see the dotdeb repository that I want to enable upgrades for

/var/lib/apt/lists/packages.dotdeb.org_dists_jessie_InRelease

We just need to extract the Origin and Label for unattended-upgrades

cat /var/lib/apt/lists/packages.dotdeb.org_dists_jessie_InRelease | grep Origin
cat /var/lib/apt/lists/packages.dotdeb.org_dists_jessie_InRelease | grep Label

You will see these outputs which we will add to unattended-upgrades

Origin: packages.dotdeb.org
Label: packages.dotdeb.org

We need to add this to the unattended-upgrades allow list in this file

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Add the origin line for the dotdeb reposistory.

// Automatically upgrade packages from these origin patterns
Unattended-Upgrade::Origins-Pattern {
        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
//      "o=Debian,a=stable";
//      "o=Debian,a=stable-updates";
//      "o=Debian,a=proposed-updates";
        "origin=Debian,archive=stable,label=Debian-Security";
        "origin=Debian,archive=oldstable,label=Debian-Security";
        "origin=packages.dotdeb.org,label=packages.dotdeb.org";
};

Make sure in the same file that automatic reboot is set to false (source)

Unattended-Upgrade::Automatic-Reboot "false";

Test Unattended Upgrades will Work

Testing it will work was derived from this excellent tutorial

To make sure unattended-upgrade will work as intended, when you know that there are updates available you can do a test run

sudo unattended-upgrade --debug --dry-run

You will see this output

Initial blacklisted packages:
 Starting unattended upgrades script
 Allowed origins are: ['origin=Debian,archive=stable,label=Debian-Security', 'origin=Debian,archive=oldstable,label=Debian-Security', 'origin=packages.dotdeb.org,label=packages.dotdeb.org']
 pkgs that look like they should be upgraded:
 Fetched 0 B in 0s (0 B/s)
 fetch.run() result: 0
 blacklist: []
 InstCount=0 DelCount=0 BrokenCout=0
 No packages found that can be upgraded unattended

If you do have packages to update

Allowed origins are: ['origin=Debian,codename=jessie,label=Debian-Security', 'origin=packages.dotdeb.org,label=packages.dotdeb.org']
Checking: debhelper ([])
Checking: exim4 ([])
Checking: exim4-base ([])
Checking: exim4-config ([])
Checking: exim4-daemon-light ([])
Checking: libdbd-mysql-perl ([])
Checking: libgd3 ([])
Checking: libintl-perl ([])
Checking: libmodule-build-perl ([])
Checking: libmysqlclient18 ([])
Checking: libperl5.20 ([])
Checking: mariadb-client ([])
Checking: mariadb-client-10.0 ([])
Checking: mariadb-client-core-10.0 ([])
Checking: mariadb-common ([])
Checking: mariadb-server ([])
Checking: mariadb-server-10.0 ([])
Checking: mariadb-server-core-10.0 ([])
Checking: mysql-common ([])
Checking: openssh-client ([])
Checking: openssh-server ([])
Checking: openssh-sftp-server ([])
Checking: perl ([])
Checking: perl-base ([])
Checking: perl-modules ([])
Checking: php5-cli ([])
Checking: php5-common ([])
Checking: php5-readline ([])
Checking: php7.0-cli ([])
Checking: php7.0-common ([])
Checking: php7.0-curl ([])
Checking: php7.0-dev ([])
Checking: php7.0-fpm ([])
Checking: php7.0-gd ([])
Checking: php7.0-json ([])
Checking: php7.0-mysql ([])
Checking: php7.0-opcache ([])
Checking: php7.0-readline ([])
Checking: php7.0-xml ([])
Checking: tzdata ([])
pkgs that look like they should be upgraded: debhelper
exim4
exim4-base
exim4-config
exim4-daemon-light
libdbd-mysql-perl
libgd3
libintl-perl
libmodule-build-perl
libmysqlclient18
libperl5.20
mariadb-client
mariadb-client-10.0
mariadb-client-core-10.0
mariadb-common
mariadb-server
mariadb-server-10.0
mariadb-server-core-10.0
mysql-common
openssh-client
openssh-server
openssh-sftp-server
perl
perl-base
perl-modules
php5-cli
php5-common
php5-readline
php7.0-cli
php7.0-common
php7.0-curl
php7.0-dev
php7.0-fpm
php7.0-gd
php7.0-json
php7.0-mysql
php7.0-opcache
php7.0-readline
php7.0-xml
...
Option --dry-run given, *not* performing real actions
Packages that will be upgraded: debhelper exim4 exim4-base exim4-config exim4-daemon-light libdbd-mysql-perl libgd3 libintl-perl libmodule-build-perl libmysqlclient18 libperl5.20 mariadb-client mariadb-client-10.0 mariadb-client-core-10.0 mariadb-common mariadb-server mariadb-server-10.0 mariadb-server-core-10.0 mysql-common openssh-client openssh-server openssh-sftp-server perl perl-base perl-modules php5-cli php5-common php5-readline php7.0-cli php7.0-common php7.0-curl php7.0-dev php7.0-fpm php7.0-gd php7.0-json php7.0-mysql php7.0-opcache php7.0-readline php7.0-xml

You can check the logs of unattended upgrades in these files

cat /var/log/unattended-upgrades/unattended-upgrades.log

Sources

Brightbox Unattended Upgrades
Ubuntu Automatic Security Updates
Debian Unattended Upgrades
Stop Unattended Upgrades from Rebooting