How to configure automatic security updates on Ubuntu 24.04
Set up unattended upgrades for critical security patches on Ubuntu Cloud VPS. Enable automatic updates for kernel, firmware, and critical packages to reduce manual maintenance overhead.
Configure your Ubuntu 24.04 server to install critical security updates automatically without manual intervention. This guide covers enabling the unattended-upgrades package and customizing the schedule to ensure your Cloud VPS remains secure against the latest vulnerabilities. You will install the necessary tools, configure the update preferences, and verify the system applies patches during maintenance windows.
Prerequisites
- Ubuntu 24.04 LTS (Noble Numbat) or later installed on a Cloud VPS.
- Root access or sudo privileges.
- Stable internet connection to download package lists.
- Understanding of basic system services and cron jobs.
Step 1: Install the unattended-upgrades package
Install the unattended-upgrades tool using the apt package manager. This package handles the logic for selecting and installing security updates automatically. Run the following command to fetch and install the package along with its dependencies.
sudo apt update
sudo apt install unattended-upgrades -yAfter the installation completes, the system creates a configuration file at /etc/apt/apt.conf.d/50unattended-upgrades. You will need to edit this file to define which packages receive automatic updates.
Step 2: Configure the unattended-upgrades settings
Edit the main configuration file to specify the sources for automatic updates. Open the file using the nano text editor. This step ensures that only security updates for the Ubuntu universe and main repositories are applied automatically, avoiding unintended changes to your application stack.
sudo nano /etc/apt/apt.conf.d/50unattended-upgradesLocate the line starting with Unattended-Upgrade::Allowed-Origins. Replace the existing content with the following configuration. This ensures updates come from the official Ubuntu repositories and the security archive.
Unattended-Upgrade::Allowed-Origins {
"Ubuntu ${distro_id}:${distro_codename}-security";
"Ubuntu ${distro_id}:${distro_codename}-updates";
};Save the file by pressing Ctrl+O, then Enter. Exit the editor by pressing Ctrl+X. The system will now consider these repositories when checking for new security patches.
Step 3: Set the upgrade schedule
Configure the system to check for updates daily and install them automatically. Edit the second configuration file located at /etc/apt/apt.conf.d/20auto-upgrades. This file controls the frequency of the checks and the automatic installation of packages.
sudo nano /etc/apt/apt.conf.d/20auto-upgradesModify the Unattended-Upgrade::Automatic-Reboot setting. Set it to false to prevent automatic reboots, which is critical for production Cloud VPS environments where downtime must be controlled manually. Update the Unattended-Upgrade::Automatic-Install setting to true so the system installs the patches immediately after downloading them.
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Install "true";Save the file and exit the editor. You can now run a manual test to ensure the configuration works before relying on the daily schedule.
Step 4: Run a manual update test
Force the system to check for and install available updates immediately. This verifies that the configuration is valid and that the system can fetch packages without errors. Run the following command to simulate the automatic upgrade process.
sudo unattended-upgrade --dry-run --debugIf you see output indicating that no updates are available or that updates would be installed, the configuration is correct. If you see errors regarding missing packages or permission issues, review the logs at /var/log/unattended-upgrades/unattended-upgrades.log.
Verify the installation
Check the status of the unattended-upgrades service to ensure it is active and enabled. This confirms that the system will automatically check for updates on the scheduled interval.
systemctl status unattended-upgradesYou will see output indicating the service is active (running). Additionally, run the following command to view the last execution log and confirm a successful run.
tail -n 50 /var/log/unattended-upgrades/unattended-upgrades.logThe log should contain messages like unattended-upgrades: run and unattended-upgrades: exit code 0, confirming the process completed without issues.
Troubleshooting
If automatic updates fail to install, check the system logs for specific error messages. Common issues include network connectivity problems or corrupted package lists. Run the following command to view the full error output from the last update attempt.
sudo grep -i error /var/log/unattended-upgrades/unattended-upgrades.logIf the system reports a dependency error, you may need to fix the package database before the next update cycle. Use the following command to repair broken dependencies and update the package lists.
sudo apt --fix-broken install
sudo apt updateEnsure that the unattended-upgrades service is not blocked by a firewall or security group on the Cloud VPS. Some cloud providers restrict outbound traffic on specific ports required by apt. Verify that port 80 and 443 are open for outbound connections to the Ubuntu repositories.
If you need to disable automatic updates temporarily for maintenance, stop the service and remove the configuration files. To re-enable them later, restart the service and restore the configuration files. Always test changes in a non-production environment first to avoid unintended system modifications.
sudo systemctl stop unattended-upgrades
sudo systemctl disable unattended-upgradesTo re-enable the automatic updates, run the following commands to start the service again.
sudo systemctl start unattended-upgrades
sudo systemctl enable unattended-upgradesMonitor the system regularly to ensure updates are applied successfully. Review the logs weekly to confirm that security patches are being installed within the expected timeframe.