CloudStick is a server control panel for developers and agencies that lets you manage cloud servers on AWS, DigitalOcean, Vultr, Linode, and Hetzner without using the command line. Plans start at $9/month — the Basic plan covers 1 server with unlimited websites; Pro at $19/month and Business at $49/month cover unlimited servers.

Will features I pay for ever get moved to a higher plan?

No. CloudStick is committed to keeping all features you currently pay for within your existing plan. New features may be added to higher tiers, but existing plan features will never be removed or require a forced upgrade.

What happens to my servers if I cancel CloudStick?

Your servers remain fully operational after cancellation. CloudStick does not host your servers — it manages them. If you cancel, you lose access to the CloudStick dashboard, but your servers continue running on your cloud provider.

Is there a free trial for CloudStick?

Yes. CloudStick offers a 7-day free trial on all paid plans with no credit card required. You can explore every feature and upgrade, downgrade, or cancel at any time during or after the trial.

SERVER HARDENING

June 24, 2026

How to Keep Your Server Patched Automatically

8 min read

CloudStick Team

DevOps Engineer

Share this article

Keep Your Server Patched

Why Automatic Updates Matter

The gap between a vulnerability being disclosed and attackers actively exploiting it is measured in hours, not days. Manually patching servers works for a single machine you actively monitor, but it breaks down at scale — a team managing 10 servers cannot realistically apply security updates within hours of disclosure across all of them manually.

Automatic security updates solve this: your server applies critical patches as soon as they appear in the Ubuntu security repository, without requiring manual intervention. The tradeoff — occasional unexpected reboots — is managed by scheduling reboots during low-traffic windows.

Configure Unattended Upgrades

Ubuntu 24.04 ships with unattended-upgrades pre-installed. Enable and configure it:

# Install if not present
sudo apt install unattended-upgrades -y
# Enable automatic updates
sudo dpkg-reconfigure --priority=low unattended-upgrades
# Select "Yes" when prompted

Edit the configuration at /etc/apt/apt.conf.d/50unattended-upgrades to control what gets updated:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}";
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
    "${distro_id}ESM:${distro_codename}-infra-security";
};
// Remove unused dependencies automatically
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Send email on errors
Unattended-Upgrade::Mail "admin@yourdomain.com";
Unattended-Upgrade::MailReport "on-change";

The -security origin is the critical one — it contains CVE patches. The base distro_codename origin includes general package updates, which are lower risk but still valuable to apply regularly.

Schedule Automatic Reboots

Some kernel and security updates require a reboot to take effect. Configure automatic reboots during a low-traffic window — typically early morning in your server's timezone:

# In /etc/apt/apt.conf.d/50unattended-upgrades, add:
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
# Or disable auto-reboot and manage it manually:
Unattended-Upgrade::Automatic-Reboot "false";
# Check if a reboot is pending:
cat /var/run/reboot-required

TIP: For production web servers, use a cron job to add REBOOT REQUIRED to your monitoring dashboard when /var/run/reboot-required exists, so you can schedule reboots during your preferred maintenance window rather than letting them happen automatically.

Monitor What Was Patched

Unattended upgrades logs what it applied and when. Check these to confirm the service is working and to audit what has been changed:

# View unattended-upgrades log
cat /var/log/unattended-upgrades/unattended-upgrades.log
# Run a dry-run to see what would be upgraded now
sudo unattended-upgrade --dry-run --debug
# Check apt history for past upgrades
grep "Upgrade:" /var/log/apt/history.log | tail -20

Kernel Live Patching with Livepatch

Canonical offers Livepatch — a service that applies kernel security patches without requiring a reboot. It is free for up to 5 machines under the Ubuntu Pro subscription. For servers where downtime is costly, this eliminates the reboot requirement for most kernel CVEs.

# Enable Ubuntu Pro (free for up to 5 machines)
sudo pro attach YOUR_TOKEN
# Enable Livepatch
sudo pro enable livepatch
# Check Livepatch status
canonical-livepatch status --verbose

CloudStick Security and Third-Party Updates

CloudStick includes a Security & Third-party Updates panel in the server management dashboard. It shows pending security updates for installed packages and lets you apply them with one click — without needing to SSH into the server.

For teams managing multiple servers, this centralizes patch status visibility — you can see at a glance which servers have pending updates across your entire fleet, and apply them in bulk from the same dashboard where you manage websites and backups.