如何自动为Debian Linux修补最新的安全更新
时间:2020-01-09 10:39:29 来源:igfitidea点击:
如何使由Debian Linux 9.x或8.x驱动的服务器/云计算机保持最新,并自动具有最新的安全更新?
有没有可以自动更新安全补丁的工具?
是的,您可以在后台下载并安装/自动升级的所有安全更新。
它以无人值守的方式完成,并为您安装了安全更新。
为什么如何一种无人值守的方式并安装安全更新
经常应用更新是确保系统安全的重要部分。
默认情况下,需要使用程序包管理工具手动应用更新。
但是,您可以选择让Debian自动下载并安装重要的安全更新。
此教程向您展示如何为Debian Linux服务器自动下载并安装稳定的更新和安全补丁。
安装
执行以下apt命令或apt-get命令以安装无人值守升级软件包。
您必须使用bsd-mailx安装传统的简单命令行模式邮件用户代理,以获取电子邮件通知。
通过从Debian更改日志和NEWS文件中提取相关条目,该工具apt-listchanges可以将软件包的新版本与当前安装的版本进行比较,并显示已更改的内容。
apt-listchanges也将通过电子邮件发送给您。
让我们安装所有这些:
$ sudo apt install unattended-upgrades apt-listchanges bsd-mailx
或者
$ sudo apt-get install unattended-upgrades apt-listchanges bsd-mailx
输出示例:
Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: unattended-upgrades* 0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. After this operation, 252 kB disk space will be freed. Do you want to continue? [Y/n] y (Reading database ... 28679 files and directories currently installed.) Removing unattended-upgrades (0.93.1+nmu1) ... Processing triggers for man-db (2.7.6.1-2) ... (Reading database ... 28649 files and directories currently installed.) Purging configuration files for unattended-upgrades (0.93.1+nmu1) ... dpkg: warning: while removing unattended-upgrades, directory '/var/log/unattended-upgrades' not empty so not removed Processing triggers for systemd (232-25) ... root@vpngateway:~# apt-get clean root@vpngateway:~# apt-get autoclean Reading package lists... Done Building dependency tree Reading state information... Done root@vpngateway:~# root@vpngateway:~# apt-get install unattended-upgrades apt-listchanges bsd-mailx Reading package lists... Done Building dependency tree Reading state information... Done apt-listchanges is already the newest version (3.10). The following additional packages will be installed: exim4-base exim4-config exim4-daemon-light liblockfile1 psmisc Suggested packages: eximon4 exim4-doc-html | exim4-doc-info spf-tools-perl swaks needrestart The following NEW packages will be installed: bsd-mailx exim4-base exim4-config exim4-daemon-light liblockfile1 psmisc unattended-upgrades 0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded. Need to get 2,298 kB of archives. After this operation, 4,858 kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://mirrors.linode.com/debian stretch/main amd64 liblockfile1 amd64 1.14-1+b1 [15.7 kB] Get:2 http://security.debian.org/debian-security stretch/updates/main amd64 exim4-config all 4.89-2+deb9u1 [377 kB] Get:3 http://mirrors.linode.com/debian stretch/main amd64 bsd-mailx amd64 8.1.2-0.20150123cvs-4 [87.0 kB] Get:4 http://mirrors.linode.com/debian stretch/main amd64 psmisc amd64 22.21-2.1+b2 [123 kB] Get:5 http://mirrors.linode.com/debian stretch/main amd64 unattended-upgrades all 0.93.1+nmu1 [61.7 kB] Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 exim4-base amd64 4.89-2+deb9u1 [1,093 kB] Get:7 http://security.debian.org/debian-security stretch/updates/main amd64 exim4-daemon-light amd64 4.89-2+deb9u1 [541 kB] Fetched 2,298 kB in 0s (19.5 MB/s) Preconfiguring packages ... Selecting previously unselected package liblockfile1:amd64. (Reading database ... 28642 files and directories currently installed.) Preparing to unpack .../0-liblockfile1_1.14-1+b1_amd64.deb ... Unpacking liblockfile1:amd64 (1.14-1+b1) ... Selecting previously unselected package exim4-config. Preparing to unpack .../1-exim4-config_4.89-2+deb9u1_all.deb ... Unpacking exim4-config (4.89-2+deb9u1) ... Selecting previously unselected package exim4-base. Preparing to unpack .../2-exim4-base_4.89-2+deb9u1_amd64.deb ... Unpacking exim4-base (4.89-2+deb9u1) ... Selecting previously unselected package exim4-daemon-light. Preparing to unpack .../3-exim4-daemon-light_4.89-2+deb9u1_amd64.deb ... Unpacking exim4-daemon-light (4.89-2+deb9u1) ... Selecting previously unselected package bsd-mailx. Preparing to unpack .../4-bsd-mailx_8.1.2-0.20150123cvs-4_amd64.deb ... Unpacking bsd-mailx (8.1.2-0.20150123cvs-4) ... Selecting previously unselected package psmisc. Preparing to unpack .../5-psmisc_22.21-2.1+b2_amd64.deb ... Unpacking psmisc (22.21-2.1+b2) ... Selecting previously unselected package unattended-upgrades. Preparing to unpack .../6-unattended-upgrades_0.93.1+nmu1_all.deb ... Unpacking unattended-upgrades (0.93.1+nmu1) ... Setting up psmisc (22.21-2.1+b2) ... Setting up exim4-config (4.89-2+deb9u1) ... Adding system-user for exim (v4) Setting up liblockfile1:amd64 (1.14-1+b1) ... Setting up exim4-base (4.89-2+deb9u1) ... exim: DB upgrade, deleting hints-db Processing triggers for libc-bin (2.24-11+deb9u1) ... Processing triggers for systemd (232-25) ... Setting up unattended-upgrades (0.93.1+nmu1) ... Creating config file /etc/apt/apt.conf.d/20auto-upgrades with new version Creating config file /etc/apt/apt.conf.d/50unattended-upgrades with new version Created symlink /etc/systemd/system/multi-user.target.wants/unattended-upgrades.service ? /lib/systemd/system/unattended-upgrades.service. Synchronizing state of unattended-upgrades.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable unattended-upgrades Processing triggers for man-db (2.7.6.1-2) ... Setting up exim4-daemon-light (4.89-2+deb9u1) ... Initializing GnuTLS DH parameter file Setting up bsd-mailx (8.1.2-0.20150123cvs-4) ... update-alternatives: using /usr/bin/bsd-mailx to provide /usr/bin/mailx (mailx) in auto mode Processing triggers for systemd (232-25) ...
配置文件
您需要编辑名为/etc/apt/apt.conf.d/50unattended-upgrades的文件
$ sudo vi /etc/apt/apt.conf.d/50unattended-upgrades
或者
$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
以下控制在配置文件中升级哪些软件包:
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// "o=Debian,n=jessie";
// "o=Debian,n=jessie-updates";
// "o=Debian,n=jessie-proposed-updates";
// "o=Debian,n=jessie,l=Debian-Security";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
您也可以跳过更新中的软件包(例如nginx或linux内核镜像):
Unattended-Upgrade::Package-Blacklist {
"nginx";
"linux-image*";
};
您需要配置一个电子邮件地址,以便在出现问题或软件包升级时接收电子邮件。
当然,您必须为此工作设置有效的电子邮件:
Unattended-Upgrade::Mail "[email protected]";
或者至少将其发送给同一系统上的root用户:
Unattended-Upgrade::Mail "root";
保存并关闭文件。
要激活无人值守的升级,您需要使apt配置具有以下两行。
使用cat命令查看信息:
$ cat /etc/apt/apt.conf.d/20auto-upgrades
输出示例:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";
可以使用以下命令更新或创建此文件:
$ sudo dpkg-reconfigure -plow unattended-upgrades
输出示例:
使用命令行激活无人值守的升级
和
使用命令行激活无人值守的升级
最后,使用文本编辑器(例如vim命令/nano命令)编辑名为/etc/apt/listchanges.conf的文件:
$ sudo vi /etc/apt/listchanges.conf
从以下位置设置电子邮件地址:
email_address=root
至:
[email protected]
保存并关闭文件。
