Test the Installation¶
SSH to both servers over Tor¶
On the Admin Workstation, you should be able to SSH to the App Server and the Monitor Server.
ssh app ssh mon
The SSH aliases should have been configured automatically by running
./securedrop-admin tailsconfig tool. If you’re unable to connect via aliases,
try using the verbose command format to troubleshoot:
ssh <username>@<app .onion> ssh <username>@<mon .onion>
You can find the Onion URLs for SSH in
mon-ssh-aths inside the
Log in to both servers via TTY¶
All access to the SecureDrop servers should be performed over SSH from the Admin Workstation. To aid in troubleshooting, physical logins via TTY are supported, but require 2FA to be configured. See the 2FA setup guide for information how to enable console logins.
Test the 2FA functionality by connecting a keyboard and display to each server, then login with the Admin username. You will need:
- sudo passphrase for the Admin username
- TOTP code from a 2FA app such as Google Authenticator or FreeOTP
Confirm that logging in via TTY prompts for a 2FA code, and that the code generated by your smartphone app permits logging in to an interactive shell.
Sanity-check the install¶
On each server:
- Check that you can execute privileged commands by running
- Verify that you are booted into a grsec kernel: run
uname -rand verify that the name of the running kernel ends with
- Check the current applied iptables rules with
iptables-save. It should output approximately 50 lines.
- You should have received an email alert from OSSEC when it first started. If not, review our OSSEC Alerts Guide.
On the Application Server:
- Check the AppArmor status with
sudo aa-status. On a production instance all profiles should be in enforce mode.
Test the web interfaces¶
- Make sure the Source Interface is available, and that you can make a
- Do this by opening the Tor Browser and navigating to the onion
app-source-ths. Proceed through the codename generation (copy this down somewhere) and you can submit a message or attach any random unimportant file.
- Usage of the Source Interface is covered by our Source User Manual.
- Do this by opening the Tor Browser and navigating to the onion URL from
- Test that you can access the Journalist Interface, and that you can log
in as the admin user you just created.
- Open the Tor Browser and navigate to the onion URL from app-journalist-aths. Enter your passphrase and two-factor authentication code to log in.
- If you have problems logging in to the Admin/Journalist Interface,
SSH to the Application Server and restart the ntp daemon to synchronize
sudo service ntp restart. Also check that your smartphone’s time is accurate and set to network time in its device settings.
- Test replying to the test submission.
- While logged in as an admin, you can send a reply to the test source submission you made earlier.
- Usage of the Journalist Interface is covered by our Journalist User Manual.
- Test that the source received the reply.
- Within Tor Browser, navigate back to the app-source-ths URL and use your previous test source codename to log in (or reload the page if it’s still open) and check that the reply you just made is present.
- We highly recommend that you create persistent bookmarks for the Source and Journalist Interface addresses within Tor Browser.
- Remove the test submissions you made prior to putting SecureDrop to real use. On the main Journalist Interface page, select all sources and click ‘Delete selected’.
Once you’ve tested the installation and verified that everything is working, see How to Use SecureDrop.