
How to
create an automatic update task for various GNU Linux distributions.
This script should be run daily or weekly. If you use a restrictive iptables firewall, the script should open the necessary ports.
License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Introduction
Keeping your system up to date with the latest patches is security basics. In this article I will show how to
create an automatic update task for various GNU Linux distributions.
This script should be run daily or weekly and in case of a strong firewall, the script should open the necessary ports.
I Create the script
Lets call our script ’system_update’.
touch system_update
Edit system_update with your favorite editor.
If you have a Debian based distrib :
If you have a RedHat based distrib :
If you use OpenSuse distrib :
If you use Mandriva distrib :
.
II Advanced script, automatic firewall rules
If your system has a restrictive host firewall, you need to be sure to allow the Internet connections implied by the system update. These connections
are:
- DNS request to resolve repositories IP address. That means allowing connection to distant port 53 UDP and TCP
- HTTP to fetch repositories and packages. That means allowing connection to distant port 80 TCP
If iptables OUTPUT default policy is set to DROP. You should have the next iptables rules :
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
If iptables INPUT default policy is set to DROP. You should have the next iptables rules :
iptables -A INPUT -p tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
If we adapt the previous script we have :
III Create the cron task
The best way to have planified task is to create a cron script. Before you continue,
assure yourself that cron is enabled at boot. Verify if the /etc/init.d/cron exist and is link to the correct rc folder.
If you use Ubuntu, verify that cron is enable in /etc/init/cron.conf.
If you plan to run this script on a non-server box. You may also want to verify if anacron is running at boot (/etc/init.d/anacron or
/etc/init.anacron.conf for Ubuntu upstart jobs).
Create a cron task is really easy. If you want your system_update script to run daily put the script in /etc/cron.daily, if you want it to run weekly,
put your script in /etc/cron.weekly.
cp system_update /etc/cron.daily/system_update
chown root:root /etc/cron.daily/system_update
chmod 700 /etc/cron.daily/system_update
You can verify if the script is working by running it :
/bin/bash /etc/cron.daily/system_update