You set up the server, you moved on, and three months later you SSH in to find it's running a kernel from last year. Unattended upgrades fix that. Here's the setup that actually works.

Install the package

apt install unattended-upgrades apt-listchanges -y

Enable it

dpkg-reconfigure --priority=low unattended-upgrades

Answer yes. This creates /etc/apt/apt.conf.d/20auto-upgrades with the right defaults.

Verify:

cat /etc/apt/apt.conf.d/20auto-upgrades

Should show:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Configure what gets updated

nano /etc/apt/apt.conf.d/50unattended-upgrades

The defaults only apply security updates — which is what you want. The key sections:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    // "${distro_id}:${distro_codename}-updates";  // uncomment for all updates
};

Leave -updates commented unless you're comfortable with non-security packages updating automatically. Security-only is the safer default for production boxes.

Configure auto-reboot (optional but recommended)

Kernel updates don't apply until the next reboot. If you never reboot, you're not actually running the updated kernel.

In /etc/apt/apt.conf.d/50unattended-upgrades, uncomment and set:

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "03:00";

Pick a time when the server has the least traffic. 3 AM is the classic choice. If this is a production server where any downtime needs a maintenance window, leave auto-reboot off and handle reboots manually — but actually do them.

Get notified when something updates

nano /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Mail "you@yourdomain.com";
Unattended-Upgrade::MailReport "on-change";

Requires a working mail setup on the server. If you don't have one, skip it — the logs are good enough.

Test it without waiting

Run a dry-run to confirm it works:

unattended-upgrade --dry-run --debug 2>&1 | head -40

Force a real run (applies available updates now):

unattended-upgrade -v

Check the logs

# What ran and when
cat /var/log/unattended-upgrades/unattended-upgrades.log

# Just the last run
tail -50 /var/log/unattended-upgrades/unattended-upgrades.log

# Package-level details
cat /var/log/unattended-upgrades/unattended-upgrades-dpkg.log

Check if a reboot is needed

cat /var/run/reboot-required 2>/dev/null && echo "Reboot needed" || echo "No reboot needed"

Or just:

ls /var/run/reboot-required 2>/dev/null

If the file exists, a kernel or library update is waiting for the next reboot to fully apply.

Debian vs Ubuntu

Same package, same config path on both. The Allowed-Origins values differ slightly:

Ubuntu uses ${distro_id}:${distro_codename}-security which expands correctly automatically. Debian uses origin=Debian,codename=${distro_codename},label=Debian-Security. The reconfigure wizard sets the right value for your distro — don't manually copy-paste from a tutorial for the other one.

Related: Ubuntu Server Initial Setup Checklist — unattended-upgrades is step 8 of the full setup.

Related posts