Enable Unattended Security Upgrades on Ubuntu Server

On linux in general, by default there is no automatic updates enabled, so to update your system you explicitly run the upgrade commands. This is good especially in server environments, where you don’t want your server to suddenly upgrade at peak hours or disturb your services.

However, All software has potential for security vulnerability, the teams behind packaging and maintaining software usually publish security patches as soon and they can, most times before the vulnerability is made public. but the second the vulnerability is made public, your server is vulnerable to the thousands of bots fishing for the newly disclosed vulnerability. and hence it is very important that security patches are installed and applied as soon as possible.

In this Guide, we will enable unattended security upgrades on your Ubuntu server.

1. Install Unattended Upgrades Package

The unattended-upgrades package is often pre-installed on Ubuntu Server, but install it to be sure:

sudo apt update
sudo apt install unattended-upgrades -y

2. Enable Automatic Updates

Run the built-in configuration script to enable the service:

sudo dpkg-reconfigure unattended-upgrades

Confirmation prompt

Slide 1 of 1 : Confirmation prompt

Viewing image 1 of 1. Confirmation prompt Use arrow keys to navigate, plus and minus to zoom, Escape or back button to close.

100%

Confirmation prompt

Select Yes when prompted. This creates (or updates) the file /etc/apt/apt.conf.d/20auto-upgrades.

You can verify its contents:

cat /etc/apt/apt.conf.d/20auto-upgrades

Expected output

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

The "1" means the action runs every 1 day. Change to "0" to disable, or a higher number to run less frequently.

3. Allow only security updates

By default, all packages are allowed in unattended upgrades, this is not ideal for production servers, because you want to control versions, and you do not want surprise version bumps that could break compatibility with your deployed services.

So let’s make sure the Allowed-Origins block only allows -security updates:

Open the configuration file:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

sudo vim /etc/apt/apt.conf.d/50unattended-upgrades

look for the Unattended-Upgrade::Allowed-Origins block comment // out all lines except the one that ends with -security so it looks like this:

Unattended-Upgrade::Allowed-Origins {
    // "${distro_id}:${distro_codename}";
    "${distro_id}:${distro_codename}-security"; // we only want security updates
    // "${distro_id}:${distro_codename}-updates";
    // "${distro_id}:${distro_codename}-proposed";
    // "${distro_id}:${distro_codename}-backports";
};

Save the file and exit the editor.

4. Test the Configuration

Run a dry-run to verify your configuration without actually installing anything:

sudo unattended-upgrades --dry-run --debug

Review the output to confirm the correct update sources are being used and no configuration errors are reported.

To actually trigger an upgrade run immediately (outside of the normal schedule):

sudo unattended-upgrades -v

5. Verify the Timer Is Active

Unattended upgrades runs via a systemd timer (or cron on older systems). Verify it’s active:

systemctl status apt-daily.timer
systemctl status apt-daily-upgrade.timer

Both timers should show as active (waiting). The apt-daily timer handles fetching the package lists, and apt-daily-upgrade handles applying the upgrades.

To see when the next run is scheduled:

systemctl list-timers apt-daily*

Summary

1. Install: sudo apt install unattended-upgrades
2. Enable: sudo dpkg-reconfigure --priority=low unattended-upgrades
3. Configure: Edit /etc/apt/apt.conf.d/50unattended-upgrades
4. Test: sudo unattended-upgrades --dry-run --debug
5. Monitor: Check /var/log/unattended-upgrades/

This setup is the safest starting point for most servers, you really don’t need to dig deeper than this until you have specific requirements.

Reference: Checking Logs

Unattended upgrades writes to /var/log/unattended-upgrades/. Key log files:

# Summary of upgrade runs
cat /var/log/unattended-upgrades/unattended-upgrades.log

# Detailed apt output
cat /var/log/unattended-upgrades/unattended-upgrades-dpkg.log

# Shutdown/reboot log (if auto-reboot is enabled)
cat /var/log/unattended-upgrades/unattended-upgrades-shutdown.log

You can also check whether a reboot is required after upgrades:

cat /var/run/reboot-required 2>/dev/null && echo "Reboot needed" || echo "No reboot needed"