How do I secure my Linode account?
There are a few things that you can do to secure your Linode account.
2FA or Two-Factor Authentication
Two-factor authentication increases the security of your Linode Manager account by requiring two forms of authentication: something you have, and something you know. You’re already familiar with this concept if you’ve ever used a debit card at an ATM. The debit card is something you have, and the PIN access code is something you know. You need both the debit card and the PIN to access your bank account.
IP Address Whitelisting
The IP Address Whitelist feature protects your Linode Manager account from unauthorized access attempts by accepting connections only from the IP addresses you specify. It’s easy to use. Just enable the feature, add your IP address, and log in. If you ever attempt to log in from an IP address that is not on the whitelist, you’ll receive an email notification — you can click the link in the email message to add the new IP address to the whitelist.
Security Event Notifications
By default, the Linode Manager automatically notifies you via email when any Linode jobs are added to the Host Job Queue. Referred to as event notifications, this security control can help you monitor your Linode Manager account’s activity. You can also subscribe to an RSS feed, or disable email event notifications entirely. This section shows you how to configure event notifications.
Force Password Expirations
Some organizations have policies that require users to change their passwords every so often. The Linode Manager can be configured to force users to change their passwords every 1, 3, 6, or 12 months.
For more information on how to setup these features on your account, please see our full guide on this topic.
I'd like to make an update to the above information -
IP Whitelisting is no longer a feature of the Cloud Manager or Linode API. This feature has been deprecated as of May 2019.
A few additional measures have since been implemented to further keep your account secure since that time. We have implemented features that will prompt you to enter a One Time Passcode when logging in from an untrusted device, a new IP address, or after a period of inactivity on your account to reduce the likelihood of a compromise, even if someone had access to your credentials.
One of the best measures to use is still, in my opinion, Two Factor Authentication as this will greatly reduce the ability for someone to gain unauthorized access to your account. 2FA also will allow you to bypass the OTP codes when signing yourself in from new devices.
I'd like to make another update and provide our most recent Community Post on how you can further secure your account: