In this tutorial, we are going to go through a series of steps that will help secure your server to best protect against hackers and hack attempts without going into complex topics.
making sure the server is up to date is essential. By default, Ubuntu is not set up for automatic updates. But we can enable unattended-upgrades easily.
$ sudo apt-get update && sudo apt-get upgrade -y
This is probably al;ready installed, but let's make sure.
$ sudo apt install unattended-upgrades -y
This will make sure the server reboots after upgrades happen.
$ sudo apt install apt-config-auto-update -y
Now check to see if it worked:
$ sudo systemctl status unattended-upgrades
Sample Output:
unattended-upgrades.service - Unattended Upgrades Shutdown
Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2022-01-17 08:33:06 UTC; 1 day 5h ago
Docs: man:unattended-upgrade(8)
Main PID: 815 (unattended-upgr)
Tasks: 2 (limit: 9504)
Memory: 11.8M
CGroup: /system.slice/unattended-upgrades.service
└─815 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
Hit [CTRL]-C to exit back to a command prompt.
Open the configuration file:
$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Uncomment the following line to include regular package updates that are off by default:
// "${distro_id}:${distro_codename}-updates";
Should now look like this:
"${distro_id}:${distro_codename}-updates";
Now we will remove unused dependencies when we update. This will remove dependencies that are no longer needed when you do an automatic update.
Change this section:
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
to this
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Note, we took out the comments on the third, sixth and thenth lines, and we changed false to true on the last line.
Hint: If you are new to the nano editor, you can make deleting entire lines faster by positioning the cursor on a line and hitting [CRTL]-K
Now find this line:
//Unattended-Upgrade::Automatic-Reboot "false";
and uncomment it and change false to true so it looks like this:
Unattended-Upgrade::Automatic-Reboot "true";
Finally, find this line:
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
and uncomment it so it looks like this:
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Now save the file by hitting [CTRL-X] then Y, then [ENTER]
Now we have another file to configure:
$ sudo nano /etc/apt/apt.conf.d/20auto-upgrades
Edit the file so it looks like this:
APT::Periodic::Update-Package-Lists "3";
APT::Periodic::Download-Upgradeable-Packages "3";
APT::Periodic::AutocleanInterval "3";
APT::Periodic::Unattended-Upgrade "3";
Here we have said that we want to go through this process of checking updates every three days.
Now save the file by hitting [CTRL-X] then Y, then [ENTER]
Now let's start the service:
sudo systemctl start unattended-upgrades
and make sure it always starts when the server boots:
sudo systemctl enable unattended-upgrades
and finally make sure we are running smoothly:
sudo systemctl status unattended-upgrades
The output should look something like this:
Unattended-upgrades.service - Unattended Upgrades Shutdown
Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2022-01-17 08:33:06 UTC; 1 day 6h ago
Docs: man:unattended-upgrade(8)
Main PID: 815 (unattended-upgr)
Tasks: 2 (limit: 9504)
Memory: 11.8M
CGroup: /system.slice/unattended-upgrades.service
└─815 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
Hit [CTRL]-C to exit back to a command prompt.
If you see an error, you probably made a typo in one of the config files.
After a few weeks, you may want to see a log of unattended upgrades done. You well see them here:
/var/log/unattended-upgrades/