Mastodon

How to Enable Automatic Security Updates on Ubuntu with Unattended-Upgrades

  1. Home
  2. Guides
  3. How to Enable Automatic Security Updates on Ubuntu...

Unattended-upgrades is the official Ubuntu package that installs security updates automatically on a schedule, without you needing to SSH in and run apt upgrade yourself. On a self-managed VPS, this closes the gap between a security patch being released and it actually reaching your server, a gap that on a server nobody logs into for weeks can stretch dangerously long.

This guide configures unattended-upgrades to install security patches automatically, sets up logging so you can verify it is actually running, and covers the trade-offs around automatic reboots. It assumes you have a running Ubuntu 24.04 VPS with a non-root sudo user. If not, complete the [Ubuntu 24.04 initial setup guide](/guides/how-to-set-up-ubuntu-24-04-vps) first.

Step 1 - Installing Unattended-Upgrades

Ubuntu ships with unattended-upgrades available in the default repositories, though it is not always installed or enabled out of the box depending on how the VPS image was built. Update the package list and install it along with apt-listchanges, which lets it summarise what changed:

sudo apt update
sudo apt install unattended-upgrades apt-listchanges -y

The package is now installed. The next step is telling Ubuntu to actually run it on a schedule, since installing the package alone does not enable it.

Step 2 - Enabling Scheduled Updates

Ubuntu includes a reconfiguration wizard that writes the scheduling config for you. Run it with the low priority flag so it asks directly rather than assuming defaults silently:

sudo dpkg-reconfigure --priority=low unattended-upgrades

Select Yes when asked whether to enable automatic updates. This writes /etc/apt/apt.conf.d/20auto-upgrades with two lines that turn on daily package list updates and daily unattended upgrade runs:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Automatic updates are now scheduled to run daily. The next step is controlling exactly which updates are allowed to install automatically, since the default configuration is close but worth reviewing.

Step 3 - Choosing Which Updates Install Automatically

The main configuration file controls which package origins are eligible for automatic installation. Open it to review:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Near the top, the Allowed-Origins block lists which repositories unattended-upgrades will pull from. By default on Ubuntu 24.04 this already includes the security repository, which is the one that matters most:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}";
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
    "${distro_id}ESM:${distro_codename}-infra-security";
};

Leaving this as-is applies security patches automatically while leaving general package updates, new feature releases and non-security bug fixes, for you to install manually. This is the safer default for a production server: security patches close known vulnerabilities and are worth installing without review, while general updates can introduce behaviour changes worth testing first. If you want general updates included too, uncomment the first line in that block, though this is not recommended for a server running WordPress or other production workloads.

While still in this file, find the Unattended-Upgrade::Mail line and set it to your email address if you want a summary sent whenever updates are installed. This is worth doing on a server you do not check daily, since it is the easiest way to notice if something unexpected happened during a patch run.

Step 4 - Deciding on Automatic Reboots

Some kernel and library security patches only take effect after a reboot. Unattended-upgrades can reboot the server automatically once these are installed, but this means the server may restart without you present, dropping any active SSH sessions and briefly taking the server offline. Do not enable this on a server running services that cannot tolerate a surprise restart, such as an unmonitored database or a site with no health check in front of it.

In the same 50unattended-upgrades file, find these two lines and set them if you want automatic reboots at a fixed, low-traffic time:

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "03:30";

If you would rather be notified that a reboot is pending and handle it yourself, leave Automatic-Reboot set to false, which is the default. A pending reboot creates a file at /var/run/reboot-required that you can check manually or with a monitoring script.

Step 5 - Verifying It Actually Runs

Configuration that looks correct is not the same as configuration that runs correctly. Test it with a dry run, which shows exactly what would happen without installing anything:

sudo unattended-upgrade --dry-run --debug

This prints every package it would consider and whether it matches an allowed origin. If security updates are pending, you will see them listed as candidates. Once you are confident the configuration is correct, unattended-upgrades will run automatically on the schedule set in step 2, and every real run gets logged. Check the log to confirm it has actually executed after its first scheduled run:

cat /var/log/unattended-upgrades/unattended-upgrades.log

A healthy log shows timestamped entries for each run, along with which packages, if any, were installed. An empty or missing log after 24 hours means the scheduled job is not firing and the configuration from step 2 needs rechecking.

Your Server Now Patches Itself

Security updates now install automatically on a daily schedule, with logging so you can confirm they are actually happening rather than assuming they are. From here, pairing this with the [UFW and Fail2Ban guide](/guides/securing-vps-ufw-fail2ban) covers the other half of keeping an unattended VPS secure between the times you actually log in to check on it.

Get a VPS

Follow along with your own server. Plans from £7.98/month.

View VPS Plans

More Guides

How to Migrate WordPress from Shared Hosting to a VPS

Move a live WordPress site from shared hosting to a VPS: database export with my...

Setting Up SSH Key Authentication on Ubuntu

How to set up SSH key authentication on Ubuntu and disable password logins to se...

Securing Your VPS with UFW and Fail2Ban

How to configure UFW and Fail2Ban on Ubuntu to protect your VPS from port scans...