How to set up automatic ubuntu security updates


Recent major security bugs like the Heartbleed and Shellshock bugs make it clear how important it is to keep your web server up to date. This can be a chore, so here are some ways you can automate the process.

Enable Automatic Updates

In Ubuntu, you can do this by following the guide on Ubuntu’s website.

Install the unattended-upgrades package:

sudo apt-get install unattended-upgrades

Enable it (select yes in the interactive menu):

sudo dpkg-reconfigure -plow unattended-upgrades

Select which unattended upgrades to automatically install:

# /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins { 
 "${distro_id} stable";
 "${distro_id} ${distro_codename}-security";
 "${distro_id} ${distro_codename}-updates";
};

Install the update-notifier-common package to receive notifications when new releases are installed.

sudo apt-get install update-notifier-common

And enable them (this assumes you have postfix, or another MTA installed):

# /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Mail "whatever@youremail.is";

Make your VPS reboot-proof

Ubuntu’s automatic updater will not install any updates that a require a reboot. Although you may wish to leave this as it is, it is a good idea to make sure your server recovers properly in the event your instance has to be rebooted.

Amazon recently forced about 10% of their EC2 fleet to reboot. See their official announcement.

If you run sudo reboot, how confident are you that your web server will restore itself to its initial state?

Here’s what you can do to prepare your instance for a reboot using a NodeJS server as an example.

Create a starter shell script

#!/bin/sh

if [ $(ps -e -o uid,cmd | grep $UID | grep node | grep -v grep | wc -l | tr -s "\n") -eq 0 ]
then
 export PATH=/usr/local/bin:$PATH
 export WHATEVER_API_KEY=123456890abcdef
 NODE_ENV=production forever start /var/www/whatever/app.js
fi

And make it run on reboot using crontab:

crontab -u ubuntu -e

Select vim or your favorite editor, and add your starter script at the end of the file:

@reboot /path/to/script.sh

Automate Deployment Process

Since we’re talking about automation, check out how to automate your deployment process as well: Set up a simple deploy script.