Set up the Servers

Now that the firewall is set up, you can plug the Application Server and the Monitor Server into the firewall. If you are using a setup where there is a switch on the LAN port, plug the Application Server into the switch and plug the Monitor Server into the OPT1 port.

Install Ubuntu

Note

Installing Ubuntu is simple and may even be something you are very familiar with, but we strongly encourage you to read and follow this documentation exactly as there are some “gotchas” that may cause your SecureDrop set up to break.

The Admin Workstation, running Tails, should be used to download and verify Ubuntu Server. The Application Server and the Monitor Server specifically require the 64-bit version of Ubuntu Server 14.04.5 LTS (Trusty Tahr). The image you want to get is named ubuntu-14.04.5-server-amd64.iso. In order to verify the installation media, you should also download the files named SHA256SUMS and SHA256SUMS.gpg.

Note

Downloading Ubuntu over Tails may take a very long time because it’s being done over Tor.

Verify the Ubuntu installation media

First, you should verify the Ubuntu image you downloaded hasn’t been modified by a malicious attacker or otherwise corrupted. We can do so by checking its integrity with cryptographic signatures and hashes.

First, we will download Ubuntu Image Signing Key and verify its fingerprint.

gpg --recv-key "C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451"

Note

It is important you type this out correctly. If you are not copy-pasting this command, we recommend you double-check you have entered it correctly before pressing enter.

Again, when passing the full public key fingerprint to the --recv-key command, GPG will implicitly verify that the fingerprint of the key received matches the argument passed.

Caution

If GPG warns you that the fingerprint of the key received does not match the one requested do not proceed with the installation. If this happens, please email us at securedrop@freedom.press.

Verify the SHA256SUMS file and move on to the next step if you see “Good Signature” in the output.

gpg --verify SHA256SUMS.gpg SHA256SUMS

The next and final step is to verify the Ubuntu image.

sha256sum -c <(grep ubuntu-14.04.2-server-amd64.iso SHA256SUMS)

If the final verification step is successful, you should see the following output in your terminal.

ubuntu-14.04.2-server-amd64.iso: OK

Caution

If you do not see the line above it is not safe to proceed with the installation. If this happens, please contact us at securedrop@freedom.press.

Create the Ubuntu installation media

To create the Ubuntu installation media, you can either burn the ISO image to a CD-R or create a bootable USB stick. As a reliable method we recommend using the dd command to copy the hybrid ISO directly to a USB drive rather than a utility like UNetbootin which can result in errors. Once you have a CD or USB with an ISO image of Ubuntu on it, you may begin the Ubuntu installation on both SecureDrop servers.

To use dd you first need to find where the USB device you wish to install Tails on has been mapped. Simply running the command lsblk in the terminal will give you a list of your block storage device mappings (this includes hard drives and USB). If the USB you are writing the Ubuntu installer to is of a different size or brand than the USB you are running Tails from, it should be easy to identify which USB has which sdX identifier. If you are unsure, try running lsblk before and after plugging in the USB you are using for the Ubuntu installer.

If your USB is mapped to /dev/sdX and you are currently in the directory that contains the Ubuntu ISO, you would use dd like so:

sudo dd conv=fdatasync if=ubuntu-14.04.2-server-amd64.iso of=/dev/sdX

Perform the Installation

The steps below are the same for both the Application Server and the Monitor Server.

Start by inserting the Ubuntu installation media into the server. Boot or reboot the server with the installation media inserted, and enter the boot menu. To enter the boot menu, you need to press a key as soon as you turn the server on. This key varies depending on server model, but common choices are Esc, F2, F10, and F12. Often, the server will briefly display a message on boot that shows which key should be pressed to enter the boot menu. Once you’ve entered the boot menu, select the installation media (USB or CD) and press Enter to boot it.

After booting the Ubuntu image, select Install Ubuntu Server.

Ubuntu Server

Follow the steps to select your language, country and keyboard settings. Once that’s done, let the installation process continue.

Configure the network manually

The Ubuntu installer will try to autoconfigure networking for the server you are setting up; however, SecureDrop 0.3 requires manual network configuration. You can hit Cancel at any point during network autoconfiguration to be given the choice to Configure the network manually.

If network autoconfiguration completes before you can do this, the next window will ask for your hostname. To get back to the choice of configuring the network manually, Cancel the step that asks you to set a hostname and choose the manu option that says Configure the network manually instead.

For a production install with a pfSense network firewall in place, the Application Server and the Monitor Server are on separate networks. You may choose your own network settings at this point, but make sure the settings you choose are unique on the firewall’s network and remember to propagate your choices through the rest of the installation process.

Below are two configurations you should enter, assuming you used the network settings from the network firewall guide. If you did not, adjust these settings accordingly.

3 NIC Firewall

  • Application Server:
    • Server IP address: 10.20.1.2
    • Netmask (default is fine): 255.255.255.0
    • Gateway: 10.20.1.1
    • For DNS, use Google’s name servers: 8.8.8.8 and 8.8.4.4
    • Hostname: app
    • Domain name should be left blank
  • Monitor Server:
    • Server IP address: 10.20.2.2
    • Netmask (default is fine): 255.255.255.0
    • Gateway: 10.20.2.1
    • For DNS, use Google’s name servers: 8.8.8.8 and 8.8.4.4
    • Hostname: mon
    • Domain name should be left blank

4 NIC Firewall

  • Application Server:
  • Server IP address: 10.20.2.2
  • Netmask (default is fine): 255.255.255.0
  • Gateway: 10.20.2.1
  • For DNS, use Google’s name servers: 8.8.8.8 and 8.8.4.4
  • Hostname: app
  • Domain name should be left blank
  • Monitor Server:
  • Server IP address: 10.20.3.2
  • Netmask (default is fine): 255.255.255.0
  • Gateway: 10.20.3.1
  • For DNS, use Google’s name servers: 8.8.8.8 and 8.8.4.4
  • Hostname: mon
  • Domain name should be left blank

Continue the installation

You can choose whatever username and password you would like. To make things easier later you should use the same username and same password on both servers (but not the same password as username). Make sure to save this password in your admin KeePassX database afterwards.

Click ‘no’ when asked to encrypt the home directory. Then configure your time zone.

Partition the disks

Before setting up the server’s disk partitions and filesystems in the next step, you will need to decide if you would like to enable *Full Disk Encryption (FDE)*. If the servers are ever powered down, FDE will ensure all of the information on them stays private in case they are seized or stolen.

Warning

The Ansible playbooks for SecureDrop will enable nightly reboots after the cron-apt task runs for automatic updates. Using FDE would therefore require manual intervention every morning. Consequently we strongly discourage the use of FDE.

While FDE can be useful in some cases, we currently do not recommend that you enable it because there are not many scenarios where it will be a net security benefit for SecureDrop operators. Doing so will introduce the need for more passwords and add even more responsibility on the administrator of the system (see this GitHub issue for more information).

If you wish to proceed without FDE as recommended, choose the installation option that says Guided - use entire disk and set up LVM.

However, if you decide to go ahead and enable FDE, please note that doing so means SecureDrop will become unreachable after an automatic reboot. An administrator will need to be on hand to enter the password in order to decrypt the disks and complete the startup process, which will occur anytime there is an automatic software update, and also several times during SecureDrop’s installation. We recommend that the servers be integrated with a monitoring solution that so that you receive an alert when the system becomes unavailable.

To enable FDE, select Guided - use entire disk and set up encrypted LVM during the disk partitioning step and write the changes to disk. Follow the recommendations as to choosing a strong password. As the administrator, you will be responsible for keeping this passphrase safe. Write it down somewhere and memorize it if you can. If inadvertently lost it could result in total loss of the SecureDrop system.

After selecting either of those options you may be asked a few questions about overwriting anything currently on the server you are using. Select yes. You do not need an HTTP proxy, so when asked, you can just click continue.

Finish the installation

Wait for the base system to finish installing. When you get to the Configure tasksel screen, choose No automatic updates. The subsequent SecureDrop installation will include a task that handles regular software updates.

Note

The Ansible playbooks for SecureDrop will configure automatic updates via cron-apt. As part of the automatic update process, the servers will reboot nightly. See the OSSEC guide for example notifications generated by the reboots.

When you get to the software selection screen, only choose OpenSSH server by hitting the space bar (Note: hitting enter before the space bar will force you to start the installation process over).

Once OpenSSH Server is selected, hit Continue.

You will then have to wait for the packages to finish installing.

When the packages are finished installing, Ubuntu will automatically install the bootloader (GRUB). If it asks to install the bootloader to the Master Boot Record, choose Yes. When everything is done, reboot.

You can now return to where you left off in the main SecureDrop install guide by clicking here.

Save the Configurations

When you are done, make sure you save the following information:

  • The IP address of the App Server
  • The IP address of the Monitor Server
  • The non-root user’s name and password for the servers.

Test Connectivity

Now that both the network firewall and the servers are connected and configured, you should make sure you can connect from the Admin Workstation to both of the servers before continuing with the installation.

In a terminal, verify that you can SSH into both servers, authenticating with your password:

$ ssh <username>@<App IP address> hostname
app
$ ssh <username>@<Monitor IP address> hostname
mon

Tip

If you cannot connect, check the network firewall logs for clues.

Set up SSH keys

Ubuntu’s default SSH configuration authenticates users with their passwords; however, public key authentication is more secure, and once it’s set up it is also easier to use. In this section, we will create a new SSH key for authenticating to both servers. Since the Admin Live USB was set up with SSH Client Persistence, this key will be saved on the Admin Live USB and can be used in the future to authenticate to the servers in order to perform administrative tasks.

First, generate the new SSH keypair:

$ ssh-keygen -t rsa -b 4096

You’ll be asked to “enter file in which to save the key.” Type Enter to use the default location.

If you choose to passphrase-protect this key, you must use a strong, diceword-generated, passphrase that you can manually type (as Tails’ pinentry will not allow you to copy and paste a passphrase). It is also acceptable to leave the passphrase blank in this case.

Once the key has finished generating, you need to copy the public key to both servers. Use ssh-copy-id to copy the public key to each server, authenticating with your password:

$ ssh-copy-id <username>@<App IP address>
$ ssh-copy-id <username>@<Mon IP address>

Verify that you are able to authenticate to both servers by running the below commands. You should not be prompted for a passphrase (unless you chose to passphrase-protect the key you just created).

$ ssh <username>@<App IP address> hostname
app
$ ssh <username>@<Monitor IP address> hostname
mon

Minor Admin Tasks

DNS

The network firewall rules are set up to disable DNS traffic to the gateway, so if your system has not set nameservers, DNS queries will fail. You can test this by running host freedom.press. If the host isn’t found, or there is some other sort of failure, check the pfSense logs. You may see UDP traffic to the gateway on port 53 being blocked.

If this is the case, you need add the following lines to /etc/resolvconf/resolv.conf.d/tail

nameserver 8.8.8.8
nameserver 8.8.4.4

Then run sudo dpkg-reconfigure resolvconf. This will update /etc/resolv.conf to include the new name servers. Verify that host freedom.press succeeds.

System Date

The ansible playbooks you will run later depend on the system clock being set accurately, so run sudo ntpdate on both servers.