Transcript from the "Automatic Updates" Lesson
>> Jem Young: For our last section, more or less, on service security, let's talk about automatic updates. Again, one of the biggest vulnerabilities is the software you're running. So you say have most of your ports closed, but you have a MySQL sever running, you have a caching proxy setup. What if one of the software become vulnerable?
[00:00:22] What if someone can connect to those without root access? So we always want to keep our software up to date, because that is the biggest, probably one of the biggest things you do about service security, mainly Windows. Windows is probably the largest offender of people not keeping their software up to date.
[00:00:38] There's still lots of people out there running Windows XP, which is no longer supported. I was actually in, totally a personal story, I was in Southern Africa on vacation a few weeks ago, and I saw at the border of Botswana, they're still running Windows XP, and I was just thinking, man, there's so many vulnerabilities on this, and this is customs border control.
[00:00:55] So, yeah there's a reason why there's so many botnets in the world, most of them are due to Windows, and people not patching their software. But we're not going to do that. We're not going to make the same mistakes that everybody else did. We're gonna automatically update our software on our server.
[00:01:09] This can get a little bit complicated, but it's the easiest way to do it. Otherwise you have to manually go in, set up some kind of reoccurring job to do it for you. So, there's even a package that do it for you. If we apt install unattended-upgrades, it'll start doing it for you, which is awesome.
[00:01:27] It might already be installed actually, if you're lucky. Sometimes it is, sometimes it isn't, seems kind of random. But if you're watching this in the future, install unattended-upgrades, and then we're gonna configure it to automatically patch our system for us.
>> Jem Young: I'm just gonna go ahead and run that.
>> Jem Young: Pseudo apt install.
>> Jem Young: Yeah, I've already got it installed. And most of you, if you sprung up a new server, you probably already have installed which is great, but just in case you don't, we don't install it as we do with most packages, so now let's configure it a bit.
[00:02:12] So in etc/apt/apt.conf.d/20auto-upgrades. Oops. File name up here. These are the defaults, but let's just make sure, because again, not for people today people tomorrow and in the future, this may not be set for you, so let's just go and make sure it's set. So add etc/apt/apt.conf.d/ follow upgrades, and I'm just gonna go and do that.
>> Jem Young: 20.
>> Jem Young: Yeah, so I just cat that file, I'm just taking a look. It's just saying update package list, yes. Run Unattended-Upgrade, yes. One is just yes,
>> Jem Young: All right, not too bad, cuz that's default. There's a link here to an Unattended-Upgrades, the debian package. You can look, there's a lot of configurations you can do for it, how often you want it to run, things like that.
[00:03:17] Take a look. I generally try to include links to things that I think are interesting. Maybe you won't think it's interesting, but it's useful to know. If you want just a little bit more detail. So next, this looks complicated, but these are the defaults. Let's just common out distro code name.
[00:03:33] It just says, we only want security patches, and we only want the extended security patches. We don't necessarily want to update our software all the time, because there could be a breaking change in there. We only want security updates, and that's in the same directory. So etc/apt/apt.conf.d/
>> Jem Young: 50unattended-upgrades, and I'm just gonna go ahead and do that here.
>> Jem Young: [INAUDIBLE] or at 50, and I'm just going to comment this line out. That's it. So what we're saying is we want security patches and the extended security maintenance patches, that's it. And that's pretty useful.
>> Jem Young: And as always, well commented files. You can see, you say, these are packages that I've done something weird.
[00:04:32] I've tweaked them a little bit. I don't want these packages to be updated. You can do lots of things with unintended upgrades, but for now let's just go the easy paved road, security updates only, and right-click, that's it.