قالب وردپرس درنا توس
Home / Tips and Tricks / How to make sure your Ubuntu servers are always patched – CloudSavvy IT

How to make sure your Ubuntu servers are always patched – CloudSavvy IT



Keeping your server up to date is very important. Linux and Linux software are constantly patched, both to receive security updates and bug fixes. By quickly applying patches, you avoid becoming a victim of zero-day bugs.

Patch Management

Patch Management refers to your server update practices. Good patch management means that all your servers are quickly updated in response to security patches, both in the Linux kernel and the system and in the software you use.

Security starts with the sysadmin; you should conduct regular security and update audits and keep up to date with security information. Most Linux distributions have security mailing lists that you can subscribe to. These will notify you when new patches are available. Other software you use may have its own mailing lists or require you to keep track manually so you can decide when an update is needed.

Uptime is important, but if your network is fault tolerant (ie you have more than one server) it shouldn't be a problem to restart them one by one. Most user software patches do not require you to restart the entire system, but if an active service needs to be updated, it usually needs to be restarted. For something like nginx, that may be fine, but for some services, such as MySQL, they take a long time to restart because they need to shut down and gracefully restart. You should avoid restarting them as much as possible, especially if you don't have failover servers.

Regular manual upgrade

For many people, a simple update and upgrade command will update the server: [1

9659008] sudo apt-get update && sudo apt-get upgrade

The command apt- get update updates the package list and retrieves the latest information about the latest versions of the packages you have installed. The command apt-get upgrade installs new software versions that you have already installed.

As a result, no new dependencies are installed and no system updates are installed. For that you need to run the following:

  sudo apt-get dist-upgrade 

which will perform a much more thorough upgrade. Both commands install all new updates and print a list of what has changed. Some services may require the service to be restarted for changes to take effect, but usually you do not have to restart the entire system unless dist-upgrade requires it.

This process is easy to perform if you only have a few servers, but manual patch management requires more time as you add more servers. Canonical's proprietary Landscape service allows you to manage and update your machines via a web interface, but is only free for 10 machines, requiring an Ubuntu Advantage subscription. If your network is particularly complicated, consider an orchestration service like Puppet.

Automatic Security Patches with Unattended Upgrades

The Unattended Utility will automatically apply certain important security upgrades. It can restart the server automatically, which can be configured up to a certain time so that it doesn't shut down in the middle of the day.

Install unmanned upgrades from apt although it may already be on your system.

  sudo apt update
sudo apt install unattended-upgrades 

This will create a configuration file in /etc/apt/apt.conf.d/50unattended-upgrades that you want to open in your favorite text editor.

Make sure the configuration is as follows, without the security rule being changed:

  Unattended-Upgrade :: Allowed-Origins {
// "$ {distro_id}: $ {distro_codename}";
"$ {distro_id}: $ {distro_codename} security";
// Comprehensive security maintenance; does not necessarily exist for
// every release and this system may not have it installed, but if
// available, the update policy is such that unattended upgrades
// should also install from here by default.
// "$ {distro_id} ESM: $ {distro_codename}";
// "$ {distro_id}: $ {distro_codename} updates";
// "$ {distro_id}: $ {distro_codename} -proposed";
// "$ {distro_id}: $ {distro_codename} backports";
}; 

This enables automatic updates for security updates, although you can enable it for anything by undoing the first line.

To enable automatic restart, remove the comment from this line and change the value to "true": [19659008] Unattended-Upgrade :: Automatic-Reboot "true";

To set a time to restart, uncheck this line and change the value to the desired time.

  Unattended-Upgrade :: Automatic-Reboot -Time "02:00"; 

The default settings ensure that your server will restart at 2 am if there are security patches that need to be restarted, although this happens occasionally and you don't have to restart your server every day. . Make sure that your running applications are configured to restart automatically at startup.

Alternatively, unattended upgrades can be configured to send you email notifications telling you to manually restart the server when needed, which prevents unexpected

Canonical Livepatch

Canonical Livepatch is a service that automatically restores your kernel without having to restart your server. It is free for up to three machines, after which you will need an Ubuntu Advantage subscription for each machine.

Make sure your system is up to date and install Livepatch via snap :

  Install sudo snap canonical livepatch 

Next you need to get a Livepatch token from their website. Once you have it, you can run the following:

  sudo canonical livepatch enable TOKEN 

Then check if it works fine with:

  sudo canonical livepatch status --verbose 

Note that the default Ubuntu image on AWS does not currently support livepatch as AWS uses their own kernel for extra performance. You should revert to the old kernel or install a different version of Ubuntu if you want to use Livepatch.


Source link