How to Further Secure your Linode Account
How can I further secure my Linode account beyond a complicated password and monitor it for any suspicious activity?
✓ Best Answer
Securing Your Account
You can utilize various security measures to protect your user account against unauthorized access as well as recover from a potential compromise. This community post will walk you through the many features we have available for securing your account, including 2FA, security questions, phone verification, and your Cloud Manager's Login History.
2FA is essential to securing your account because it acts as a second layer of security when your password may be compromised. If a password is hacked, guessed, or even phished, that's no longer enough to give an intruder access; a standalone password would be useless if there's a second layer of protection enabled.
2FA increases the security of your Linode account by requiring two forms of authentication: your password and an expiring token, also called a one-time passcode (OTP) or 2FA code. This follows the security principle of authenticating with something you know (a password) and something you have (the device used to generate the token).
Having 2FA enabled is also beneficial since it will allow you to bypass having a One-Time Passcode sent to the email address associated with your user account if you have not logged in within 90 days. More information regarding your login OTP can be found here.
Security questions provide our team with a secure method of verifying your identity as the owner of a user account. You can configure three security questions on your user account, which can be used to help you regain access to your account in certain situations, such as when 2FA is enabled and you no longer have access to the token or recovery codes. When configuring a security question, choose answers that cannot be easily guessed or discoverable through research.
Our team can securely verify your access to a user account using a verified phone number on file. This phone number is only ever used to verify your identity when attempting to authenticate to a user account when contacting Linode Support.
If you receive a verification SMS without contacting us, do not pass along the verification code to anyone. As a precautionary measure, you may want to change your password and enable 2FA. You may even want to update your username to prevent further unauthorized access to your account.
Monitoring Any Suspicious Activity on Your Account
If you notice any suspicious activity on your account, such as receiving emails about account information being updated or Linode email alerts regarding unfamiliar/unauthorized events, you may want to utilize the following tools:
Our Login History tool in Cloud Manager allows you to see any login attempts on your account over the last 90 days. This tool will allow you to see the dates, source IP address, and whether the login attempt was successful or not for a particular user.
By default, activities that occur on an account or to a particular service are logged as events. These events include services being created (or deleted), a change in a Linode's power state (such as powering off or rebooting), and many other actions. All events are stored to an account for 90 days.
What should you do if they think their account has been compromised/"hacked."
If you notice that a new service was deployed without your authorization via our Security Event Notifications, or if you find unfamiliar failed login attempts through our Login History tool, you'll want to reach out to Linode Support and inform them that you've noticed suspicious activity on your account. Our support team can then investigate further and take the proper measures to restrict your account to prevent any new service deployments as well as any charges to your payment method(s). Next, you'll want to perform the following actions to negate any future compromises:
Confirm that Billing and Contact information on your account is correct.
Confirm that you have audited all services on your account and that any fraudulent services have been removed.
Confirm that you have audited any API tokens or Object Storage access keys] which could be used to access your account.
While 2FA is not required, we still highly recommend that you enable it to ensure that your account is secure:
- Enable two-factor authentication for all users.