Loading...

Knowledge Base
Home 
 
/
 Bluehost Self-Managed VPS: How to Set Up Automatic Security Updates
Categories: VPS, Troubleshooting, Security

Bluehost Self-Managed VPS: How to Set Up Automatic Security Updates

Automatic security updates keep your server protected against the latest vulnerabilities without manual intervention. This is a critical best practice for any public-facing Self-Managed VPS.

This article discusses the following:

Prerequisites & Testing Connectivity

  • You must have root or sudo privileges.
  • Your server must be able to connect to official repositories (internet access).
  • Ensure initial manual updates are done first, and that you have recent backups.

How to Test Repository Connectivity & Internet Access

Run one or more commands below to confirm internet and repo connectivity:

Test Command What to Expect If OK
Ping public IP 
ping -c 4 8.8.8.8
 Shows replies: 
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=12 ms
Ping domain 
ping -c 4 google.com
 Shows replies: 
64 bytes from ...
Test DNF/YUM repo
(AlmaLinux, Rocky, CentOS, Fedora)		 
sudo dnf check-update
 Shows repo/metadata fetch lines, e.g.: 
Last metadata expiration check: ...
Test APT repo
(Ubuntu, Debian)		 
sudo apt update
 Shows download lines, e.g.: 
Get:1 http://... InRelease [XXX kB]
Notes:
  • If you see “Could not resolve host” or “Failed to download”, your server does not have internet access or your DNS/repos are misconfigured.
  • Successful responses mean your server can reach official repositories and is ready for automatic updates.

AlmaLinux, Rocky Linux, CentOS Stream, Fedora (dnf-automatic)

These systems use dnf-automatic for scheduled updates.

1. Install dnf-automatic:

sudo dnf install dnf-automatic -y

Example output:

Installed:
  dnf-automatic-4.14.0-1.el9.noarch
Complete!

2. Enable and start the timer:

sudo systemctl enable --now dnf-automatic.timer

Example output:

Created symlink /etc/systemd/system/timers.target.wants/dnf-automatic.timer → /usr/lib/systemd/system/dnf-automatic.timer.

3. Edit the config file to set actions (default: download and apply security-only updates):

sudo nano /etc/dnf/automatic.conf

Look for these lines and set for security-only and automatic apply:

apply_updates = yes
upgrade_type = security

4. Check the timer status:

systemctl status dnf-automatic.timer
● dnf-automatic.timer - dnf-automatic timer
   Loaded: loaded (/usr/lib/systemd/system/dnf-automatic.timer; enabled)
   Active: active (waiting) since Wed 2024-07-10 08:00:00 UTC; 2h 10min ago

Ubuntu, Debian (unattended-upgrades)

Use unattended-upgrades for automatic security updates on Ubuntu and Debian.

1. Install unattended-upgrades:

sudo apt update
sudo apt install unattended-upgrades -y

Example output:

Setting up unattended-upgrades (2.8.1ubuntu1) ...

2. Enable automatic security updates:

sudo dpkg-reconfigure --priority=low unattended-upgrades

Example output:

Configuring unattended-upgrades
Automatically download and install stable updates? [Yes]

3. (Optional) Fine-tune /etc/apt/apt.conf.d/50unattended-upgrades:

Open the file and ensure security updates are enabled and adjust email/auto-reboot if desired.

4. Simulate a run to check readiness:

sudo unattended-upgrades --dry-run --debug

Example output includes lines similar to:

Checking: openssl
Packages that will be upgraded: openssl

When Do Automatic Security Updates Run?

  • AlmaLinux, Rocky Linux, CentOS Stream, Fedora:
    Security updates run automatically once daily via dnf-automatic.timer — by default at 6:00 am system time.
    To check or adjust the schedule, run: 
    systemctl list-timers dnf-automatic.timer
    Sample output: 
    NEXT                         LEFT    LAST                         PASSED    UNIT
Wed 2024-07-10 06:00:00 UTC  7h left Wed 2024-07-09 06:00:04 UTC  16h ago   dnf-automatic.timer
    Advanced users: To customize the timer schedule, edit /usr/lib/systemd/system/dnf-automatic.timer (then run sudo systemctl daemon-reload).
  • Ubuntu, Debian:
    Security updates are applied daily, typically overnight (about 6:25am system time) through a cron.daily job.
    To check the last run or troubleshoot: 
    ls -l /var/log/unattended-upgrades/
    Or review the schedule in /etc/cron.daily/ and /etc/apt/apt.conf.d/10periodic.

Notification Setup (Optional)

Would you like to receive an email every time an automatic update is installed or if there is a problem? Here’s how you can set up email alerts for your server’s security updates:

OS/Stack Notification Method Setup Steps
AlmaLinux, Rocky Linux, CentOS Stream, Fedora Email via dnf-automatic
  1. Install a mail transfer agent (Postfix or Sendmail): 
    sudo dnf install postfix -y
  2. Configure /etc/dnf/automatic.conf in the [email] section: 
    [email]
emit_via = email
email_from = [email protected]
email_to = [email protected]
    Be sure to replace [email protected] with your real email address.
  3. You can test mail delivery: 
    echo "Test mail" | mail -s "Test" [email protected]
Ubuntu, Debian Email via unattended-upgrades
  1. Install a mail utility (mailutils or postfix): 
    sudo apt install mailutils postfix -y
  2. Edit /etc/apt/apt.conf.d/50unattended-upgrades, ensuring you add or adjust: 
    Unattended-Upgrade::Mail "[email protected]";
Unattended-Upgrade::MailOnlyOnError "true";
  3. You can test mail delivery: 
    echo "Test mail" | mail -s "Test" [email protected]
Notes:
  • They do not provide a free relay service for you—you are just running your own system’s mail server to send system alert emails.
  • For reliable mail delivery to Gmail or external addresses, you may need to set up additional mail relay settings or use a service (to avoid spam filters).
  • For VPS alerts and security email, the free local MTA setup is usually enough.

Tip: For reliable email delivery to Gmail or other external mailboxes, consider using SMTP relay settings or an external email service to avoid spam issues.
You will receive alerts when security updates are installed (or when there are errors, depending on configuration).

Advanced: Scheduling & OS-Specific Tips

Want more control over when updates happen, or need to troubleshoot OS-specific issues? Here are some advanced tips:

AlmaLinux, Rocky Linux, CentOS Stream, Fedora (dnf-automatic)

  • Change update frequency/time:
    Edit the timer file: 
    sudo nano /usr/lib/systemd/system/dnf-automatic.timer
    Modify (or add) the OnCalendar line in the [Timer] section, e.g.: 
    OnCalendar=*-*-* 03:00:00
    (runs daily at 3:00 am)
    Other options:
    • OnCalendar=Mon *-*-* 03:00:00 (weekly Monday at 3 am)
    • OnCalendar=hourly (every hour)
    • OnCalendar=*-*-* 03,15:00:00 (twice daily at 3am/3pm)
    Save, then reload and restart the timer: 
    sudo systemctl daemon-reload
sudo systemctl restart dnf-automatic.timer
    More info: See systemd.time documentation.
  • Disable/enable automatic updates: 
    sudo systemctl stop dnf-automatic.timer   # Disable
sudo systemctl start dnf-automatic.timer  # Enable/Restart

Ubuntu, Debian (unattended-upgrades)

  • Change update frequency:
    Edit this file: 
    sudo nano /etc/apt/apt.conf.d/10periodic
    Example for daily checks/updates: 
    APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
    (Set to "7" for weekly, "0" to disable, "2" for every other day, etc.)
  • Advanced scheduling:
    Cron jobs generally run around 6:25am system time, but you can move the main script to /etc/cron.hourly/ or use a custom cron job if you want advanced control.
  • Disable/enable automatic updates: 
    sudo dpkg-reconfigure unattended-upgrades

How to verify your schedule:

  • dnf-automatic: 
    systemctl list-timers
  • unattended-upgrades: View logs: 
    ls -l /var/log/unattended-upgrades/

If you adjust the schedule, always monitor your logs and check mail alerts to ensure updates are running as expected.

Testing & Monitoring Automatic Updates

  • Check update logs:
    RHEL/Alma/Rocky/CentOS: 
    sudo journalctl -u dnf-automatic.service
    Ubuntu/Debian: 
    cat /var/log/unattended-upgrades/unattended-upgrades.log
  • Set up email notifications in the config file to alert you to each update event.

Summary

Enabling automatic security updates is one of the easiest and most effective ways to harden your Self-Managed VPS, reduce downtime, and protect your data. Test to confirm they work, review your logs, and remember to keep regular backups!

Loading...