Frequently Asked Question

How do I keep a Linux server patched automatically?

The single most effective defensive practice is keeping the system patched. Most real compromises exploit known vulnerabilities for which a fix has been released, often weeks or months earlier. On Debian and Ubuntu the standard tool is unattended-upgrades, a small daemon that runs every night, fetches the security pocket, and installs updates without operator intervention. Enable it with sudo apt install unattended-upgrades and sudo dpkg-reconfigure unattended-upgrades; tune which repositories it tracks in /etc/apt/apt.conf.d/50unattended-upgrades, including whether to reboot at a chosen hour after a kernel update.

On Fedora, RHEL, AlmaLinux, and Rocky the equivalent is dnf-automatic, configured via /etc/dnf/automatic.conf and a systemd timer. SUSE provides zypper-automatic-update. For kernel patches without a reboot, paid tools such as Canonical's Livepatch, Red Hat's kpatch, and Oracle's Ksplice deliver hot fixes for LTS kernels on supported subscriptions.

Automation is necessary but not sufficient. Subscribe to the distribution's security announcement list, watch the kernel CVE feed for anything that affects your workload, and test that automatic restarts and reboots actually complete cleanly, a server that auto-installs a kernel but never reboots is patched in name only.