debian, linux, nextcloud, raspberrypi, security

Automatic security updates on a Debian system

Computer security is an issue of paramount importance. More even so whenever we are running services exposed to the internet. Much more even so when those services can compromise sensitive data.

The first piece of advice you will always get is “keep your system up to date with the latest security patches”, and my favourite way of keeping my Debian systems safe is through the unattended-upgrades package.

Automatic security updates are handy when we are managing a considerable number of servers but we want to be careful as things can break for users or our coworkers, so choosing the right configuration and having a predefined procedure can save us some headaches.

This is included in the latest release of NextCloudPi.

Installation

Generic Installer

You can easily install it and configure it in your running server through the generic installer

Raspbian offline

Alternatively, you can install it offline into a Raspbian SD card using QEMU.

Extract the SD card and copy the image to your computer (adjust sdx).

Then,

Once done, you can copy it back (adjust sdx).

Manual

If you want to do it step by step, install with

Easy configuration

If you are using the generic installer or issue nextcloudpi-config  in NextCloudPi it will only come down to two simple settings

  • ACTIVE: type yes to enable automatic updates
  • AUTOREBOOT: type yes to allow automatic reboots when needed.

In this setup, automatic reboots will only be run when needed, and will be run at 4:00 am.

Also, some settings will be configured for you:  .deb packages will be cached for 2 weeks, and a periodic apt-get autoclean will be run every week to prevent the autoupdate setup to take up too much storage.

See the code below for details. If you have different needs, continue reading.

Detailed Configuration

If you want to go in more detail, issue

This will create /etc/apt/apt.conf.d/20auto-upgrades with the following simple configuration

, which will update package lists and perform security updates daily ( see parameter “1” ).

You can check all options on /etc/apt/apt.conf.d/50unattended-upgrades

Your updates will be run from /etc/cron.daily/apt. That file is also worth a reading if you like tweaking things, like for instance scheduled apt-get autoremove.

More on usage

You can run it yourself with

If you have mailing setup, use this option

The operations are written to

Code

github

References

https://help.ubuntu.com/community/AutomaticSecurityUpdates

Author: nachoparker

Humbly sharing things that I find useful [ github dockerhub ]

2 Comments on “Automatic security updates on a Debian system

Leave a Reply

Your email address will not be published. Required fields are marked *