Most server compromises exploit known, already-patched vulnerabilities. Automatic security updates close that gap. On Ubuntu and Debian, unattended-upgrades handles it.
Install and enable
sudo apt update
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades
Configure what gets updated
Edit /etc/apt/apt.conf.d/50unattended-upgrades. By default it applies security updates only — the safest choice. You can enable automatic reboots (during a maintenance window) if a kernel update requires one:
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "03:30";
Verify it's working
sudo unattended-upgrade --dry-run --debug
cat /var/log/unattended-upgrades/unattended-upgrades.log
A note of caution
Automatic security patches are low-risk and highly recommended. Automatically applying all updates is riskier for production — test those in staging. Combine auto-patching with regular backups for peace of mind.