Test the Installation

Test connectivity

SSH to both servers over Tor

On the Admin Workstation, you should be able to SSH to the App Server and the Monitor Server.

ssh app
ssh mon

The SSH aliases should have been configured automatically by running the ./securedrop-admin tailsconfig tool. If you’re unable to connect via aliases, try using the verbose command format to troubleshoot:

ssh <username>@<app .onion>
ssh <username>@<mon .onion>

Tip

You can find the Onion URLs for SSH in app-ssh-aths and mon-ssh-aths inside the install_files/ansible-base directory.

Log in to both servers via TTY

All access to the SecureDrop servers should be performed over SSH from the Admin Workstation. To aid in troubleshooting, physical logins via TTY are supported, but require 2FA to be configured. See the 2FA setup guide for information how to enable console logins.

Test the 2FA functionality by connecting a keyboard and display to each server, then login with the Admin username. You will need:

  • sudo password for the Admin username
  • TOTP code from a 2FA app such as Google Authenticator or FreeOTP

Confirm that logging in via TTY prompts for a 2FA code, and that the code generated by your smartphone app permits logging in to an interactive shell.

Sanity-check the install

On each server:

  1. Check that you can execute privileged commands by running sudo su.
  2. Verify that you are booted into a grsec kernel: run uname -r and verify that the name of the running kernel ends with -grsec.
  3. Check the AppArmor status with sudo aa-status. On a production instance all profiles should be in enforce mode.
  4. Check the current applied iptables rules with iptables-save. It should output approximately 50 lines.
  5. You should have received an email alert from OSSEC when it first started. If not, review our OSSEC Alerts Guide.

Test the web interfaces

  1. Make sure the Source Interface is available, and that you can make a submission.
    • Do this by opening the Tor Browser and navigating to the onion URL from app-source-ths. Proceed through the codename generation (copy this down somewhere) and you can submit a message or attach any random unimportant file.
    • Usage of the Source Interface is covered by our Source User Manual.
  2. Test that you can access the Journalist Interface, and that you can log in as the admin user you just created.
    • Open the Tor Browser and navigate to the onion URL from app-journalist-aths. Enter your password and two-factor authentication code to log in.
    • If you have problems logging in to the Admin/Journalist Interface, SSH to the Application Server and restart the ntp daemon to synchronize the time: sudo service ntp restart. Also check that your smartphone’s time is accurate and set to network time in its device settings.
  3. Test replying to the test submission.
    • While logged in as an admin, you can send a reply to the test source submission you made earlier.
    • Usage of the Journalist Interface is covered by our Journalist User Manual.
  4. Test that the source received the reply.
    • Within Tor Browser, navigate back to the app-source-ths URL and use your previous test source codename to log in (or reload the page if it’s still open) and check that the reply you just made is present.
  5. We highly recommend that you create persistent bookmarks for the Source and Journalist Interface addresses within Tor Browser.
  6. Remove the test submissions you made prior to putting SecureDrop to real use. On the main Journalist Interface page, select all sources and click ‘Delete selected’.

Once you’ve tested the installation and verified that everything is working, see How to Use SecureDrop.