Computer security is an issue of paramount importance. More even so whenever we are running services exposed to the internet. Much more even so when those services can compromise sensitive data.
The first piece of advice you will always get is “keep your system up to date with the latest security patches”, and my favourite way of keeping my Debian systems safe is through the unattended-upgrades package.
Automatic security updates are handy when we are managing a considerable number of servers but we want to be careful as things can break for users or our coworkers, so choosing the right configuration and having a predefined procedure can save us some headaches.
This is included in the latest release of NextCloudPi.
You can easily install it and configure it in your running server through the generic installer
git clone https://github.com/nextcloud/nextcloudpi.git
./installer.sh unattended-upgrades.sh <server_IP>
Alternatively, you can install it offline into a Raspbian SD card using QEMU.
Extract the SD card and copy the image to your computer (adjust sdx).
sudo dd if=/dev/sdx of=my_rpi.img bs=4M
./installer.sh unattended-upgrades.sh 192.168.0.130 my_rpi.img
Once done, you can copy it back (adjust sdx).
sudo dd if=my_rpi.img if=/dev/sdx bs=4M
If you want to do it step by step, install with
sudo apt-get install unattended-upgrades
- ACTIVE: type yes to enable automatic updates
- AUTOREBOOT: type yes to allow automatic reboots when needed.
In this setup, automatic reboots will only be run when needed, and will be run at 4:00 am.
Also, some settings will be configured for you: .deb packages will be cached for 2 weeks, and a periodic apt-get autoclean will be run every week to prevent the autoupdate setup to take up too much storage.
See the code below for details. If you have different needs, continue reading.
If you want to go in more detail, issue
sudo dpkg-reconfigure --priority=low unattended-upgrades
This will create /etc/apt/apt.conf.d/20auto-upgrades with the following simple configuration
, which will update package lists and perform security updates daily ( see parameter “1” ).
You can check all options on /etc/apt/apt.conf.d/50unattended-upgrades
Your updates will be run from /etc/cron.daily/apt. That file is also worth a reading if you like tweaking things, like for instance scheduled apt-get autoremove.
More on usage
You can run it yourself with
sudo unattended-upgrades -d
If you have mailing setup, use this option
The operations are written to
[update] Raspbian does not support the Raspbian-Security label. For Raspbian, it is either update nothing or everything, security or not. See this forum thread.
# Unattended upgrades installation on Raspbian
# Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
# GPL licensed (see end of file) * Use at your own risk!
# ./installer.sh unattended-upgrades.sh <IP> (<img>)
# See installer.sh instructions for details
# More at: ownyourbits.com
apt install -y --no-install-recommends unattended-upgrades
[[ $ACTIVE_ == "yes" ]] && local AUTOUPGRADE=1 || local AUTOUPGRADE=0
[[ $AUTOREBOOT_ == "yes" ]] && local AUTOREBOOT=true || local AUTOREBOOT=false
# It seems like the label Raspbian-Security does not work for Raspbian
# See https://www.raspberrypi.org/forums/viewtopic.php?t=82863&p=585739
cat > /etc/apt/apt.conf.d/20nextcloudpi-upgrades <<EOF
echo "Unattended upgrades active: $ACTIVE_ (autoreboot $AUTOREBOOT_)"
apt-get autoremove -y
rm /var/lib/apt/lists/* -r
# This script is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# This script is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this script; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330,
# Boston, MA 02111-1307 USA