GCATS header logo
Learning Center

Set Up Automatic Security Updates with unattended-upgrades

Keep Ubuntu security patches moving even when you are busy, while still understanding what is installed and how to verify that the update routine is healthy.

Ubuntu updatesLow-maintenance securityBeginner friendly
What you learn

How to enable unattended-upgrades, choose sensible defaults, review logs, and understand when automatic updates help versus when manual review is better.

Best for

VPS owners, home servers, and small Linux boxes that need timely security fixes without daily babysitting.

Risk to watch

Automatic updates reduce patch delay, but they should still be paired with backups and occasional log checks.

Before you begin

  • An Ubuntu server with sudo access.
  • Recent backups or snapshots for anything important.
  • Enough free disk space for package updates.
  • A habit of checking service health after larger maintenance windows.

Many server compromises happen because updates were available but never applied. unattended-upgrades is a simple Ubuntu tool that closes part of that gap by automatically installing approved updates, especially security patches. It will not replace monitoring, backups, or good app hygiene, but it is one of the highest-value “set it once” improvements you can make.

Why automatic security updates are worth using

Small servers are often neglected for boring reasons. Nobody forgot them on purpose. They just fell behind while other work felt more urgent. unattended-upgrades helps because it handles routine security fixes without waiting for you to remember. That shortens the time your server is exposed to known package vulnerabilities.

Expected outcome: Your Ubuntu machine checks for updates automatically, installs allowed security patches, cleans up some old package state, and leaves a log trail you can review.

Step 1: Install the package

Update package metadata and install the tool:

sudo apt update
sudo apt install unattended-upgrades apt-listchanges -y

apt-listchanges is optional, but it can help surface package change information in a more readable way.

Step 2: Enable automatic security updates

Run the reconfiguration helper:

sudo dpkg-reconfigure -plow unattended-upgrades

Choose Yes when asked whether to download and install stable updates automatically. This typically creates or updates the APT periodic config used for scheduled package checks.

You can inspect the resulting settings here:

sudo nano /etc/apt/apt.conf.d/20auto-upgrades

A sensible baseline looks like this:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";

This means Ubuntu refreshes package lists daily, runs unattended upgrades daily, and cleans obsolete package files weekly.

Step 3: Review the main unattended-upgrades policy file

Open the main config:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

The important section is Unattended-Upgrade::Allowed-Origins. On modern Ubuntu, you usually want the security repository enabled. A default-safe configuration often already includes lines similar to these:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}-security";
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
};

You can also enable a few useful quality-of-life settings lower in the file:

Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

Leaving automatic reboot off is safer for beginners unless you fully understand the services running on the machine. Some updates, especially kernel updates, may still need a reboot before protection is complete.

Step 4: Test the updater and inspect logs

Run a dry-style debug test:

sudo unattended-upgrade --dry-run --debug

If that looks reasonable, you can run it once manually:

sudo unattended-upgrade --debug

Then review the logs:

sudo tail -n 100 /var/log/unattended-upgrades/unattended-upgrades.log
sudo tail -n 100 /var/log/unattended-upgrades/unattended-upgrades-dpkg.log

Also check recent APT history:

grep -E "unattended-upgrade|upgrade" /var/log/apt/history.log | tail -n 20

Expected outcome and verification

After setup, you should be able to confirm:

  • The package is installed and enabled.
  • The daily APT periodic settings are present.
  • The allowed origins include security updates.
  • Logs show successful checks or recent upgrade activity.

Useful verification commands:

systemctl status unattended-upgrades --no-pager
apt-config dump | grep -i unattended
ls -lah /var/log/unattended-upgrades/
needrestart

If needrestart is installed, it can help you see whether services or the kernel need a restart after upgrades.

Troubleshooting common problems

The service is installed, but nothing seems to happen.
Check /etc/apt/apt.conf.d/20auto-upgrades first. If the periodic values are disabled, unattended-upgrades will not run automatically.

The logs mention package conflicts or holds.
Manually run sudo apt update and sudo apt upgrade to inspect the blocked package situation more clearly.

A reboot is required.
Look for /var/run/reboot-required. Plan a restart window instead of ignoring it indefinitely.

You are worried about application breakage.
That is reasonable. Keep backups, stage bigger changes when possible, and remember that unattended-upgrades is best for OS-level security patches, not blind app-level updating of everything you run.

Warning: Automatic updates reduce known-risk exposure, but they are not a substitute for backups. If you cannot recover the server, you have not really finished the maintenance job.

What to do next

Once security patching is automated, the next maturity step is keeping your data safe off-machine too. Continue with Use rclone for Offsite Server Copies to S3 or Backblaze B2.