Harden your public webserver (Part 1: unattended-upgrades)

This is the first part of a three-part tutorial.

I present three (more modern) ways to make it harder for attackers to infiltrate.

I leave out important concepts like monitoring, encryption and backup. If you use your own web applications, such as Nextcloud or Wordpress, make sure you are always up to date with the latest patches.

This guide is for people who want to add that little extra icing on the cake when it comes to security.

All measures are done easily and can also be automated in Ansible with little effort.

Let's get started without further ado.

Install the "unattended upgrades" package for automated updates of the default repositories:

apt install unattended-upgrades

The package is automatically enabled. By default, all stable updates are performed. However, this is not enough for us.‌‌Open the configuration file with an editor of your choice (nano/vim/emacs).

/etc/apt/apt.conf/50unattended-upgrades

Remove the "//" in front of the following lines and change the given values which are comment with # here below:

Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; 
Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; 
# Change Remove-Unused-Dependencies to "true" 
Unattended-Upgrade::Remove-Unused-Dependencies "true"; 
# change Automatic-Reboot to true 
Unattended-Upgrade::Automatic-Reboot "true"; 
Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; 
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
/etc/apt/apt.conf/50unattended-upgrades

Test that everything is done as desired (no changes are made):

unattended-upgrade --dry-run -v

‌             ‌

Optional steps

Customize repositories:

If only security updates should be performed (e.g. for stability reasons): Exclude the following line with a preceding //.

"origin=Debian,codename=${distro_codename},label=Debian"; 
/etc/apt/apt.conf/50unattended-upgrades

You can also insert your own repos in these lines or blacklist certain packages in the following line with a regular expression:

Unattended-Upgrade::Package-Blacklist
/etc/apt/apt.conf/50unattended-upgrades

E-mail notification in case of errors:

Enter your address (this assumes that there is a working MTA on the server, such as Postfix):

Unattended-Upgrade::Mail "youremail@yourdomain.com";
/etc/apt/apt.conf/50unattended-upgrades

Since sometimes updates can be very frequent, I would enable email notification only for errors (default: for all changes):

Unattended-Upgrade::MailReport "only-on-error";
/etc/apt/apt.conf/50unattended-upgrades

‌‌