How to Keep Your Linode Account Safe

Updated by Linode Written by Linode

Contribute on GitHub

Report an Issue | View File | Edit File

The Linode Manager is the gateway to your Linode products and services, and you should take steps to protect it from unauthorized access. Linode supports and recommends implementing the following security measures:

  1. Enable two-factor authentication.

  2. Enable IP whitelisting.

  3. Configure and monitor event notifications.

These measures make it much more difficult for someone else to log in to your account without your knowledge. However, you should also take steps to make sure you don’t accidentally lock yourself out of your account, too. Here are a few things you can do to minimize the chance of that happening:

  1. Record a scratch code for your two-factor authentication.

  2. Create a backup user that you can log in to your Linode account with in addition to your primary user.

  3. Be aware of the documentation that Linode requires in case you are otherwise unable to access to your account.

The following sections describe these measures in more detail.

Note
These measures describe security controls for the Linode Manager and API, which are distinct from the authorization protocols for your individual servers. If you are collaborating with other people to work on your services, or if you are concerned about unauthorized access to your Linodes, review the Create an Account for a Developer to Work on Your Linode guide for more on how to control access to your servers.

Two-Factor Authentication

Two-factor authentication (2FA) increases the security of your account by requiring two forms of authentication: something you have, and something you know. You’re already familiar with this concept if you’ve ever used a debit card at an ATM. The debit card is something you have, and the PIN access code is something you know. You need both the debit card and the PIN to access your bank account.

In this analogy, your card’s PIN is akin to your Linode account’s password, and your debit card is like your 2FA code. Your 2FA code is provided by a two-factor authorization application that supports the Time-based One-Time Password (TOTP) algorithm. You generally install a 2FA app on your phone so that it’s always handy. Under TOTP, your 2FA app will provide a code that is valid for only a short amount of time, after which a new code is generated.

Two Factor Authentication Diagram

Enable Two-Factor Authentication

  1. Install an OTP generation app on your smartphone or tablet. For example, you can use any of the following applications:

  2. Click the my profile link at the top right corner of the Linode Manager.

  3. Re-authenticate using your Linode user’s password.

  4. From the Password & Authentication page of the Linode Manager, click Enable Two-Factor Authentication.

  5. You’ll then be shown a secret key and a QR code. The key will be shown only once. Do not refresh this page until you have configured a 2FA app on your phone. Write down the secret key and store it in a safe place. If you get locked out of your account, contact support to regain access.

  6. Open your phone’s 2FA app and add a new account.

  7. Scan the QR code shown in the Linode Manager. Your 2FA app will create a new login token labeled LinodeManager:user.

  8. Enter the token from your 2FA app in the Generated Token field of the page above. Click Confirm my token, and enable two-factor auth!

  9. Note the scratch code and store it in a secure place. This is important. You will use this code if your 2FA device is not available.

Log in with Two-Factor Authentication

  1. Open the Linode Manager in your web browser and log in as normal using your username and password. The authentication code text field will then appear.

  2. Open the 2FA app on your smartphone, then select your LinodeManager:user account.

  3. Enter the 2FA token from your phone and click Authenticate. Checking the box below the authentication option will add your computer to the trusted computer list for 30 days and generate a confirmation email to the address on file for your account.

Record Your Scratch Code

In the event that your smartphone is unavailable or your secret key is lost, you can use a one-time scratch code to log back in to the Linode Manager and regenerate the key. Scratch codes are disabled by default. We highly recommend you generate a scratch code and store it somewhere accessible and secure.

  1. Return to the Password & Authentication tab in the Linode Manager and click the generate link to create a scratch code.

  2. A pop-up will appear asking you to confirm the action. Click OK.

  3. The scratch code will then be shown. This code will be displayed only once–copy or write it down and store it somewhere safe.

Generate a New Key

The Linode Manager allows you to generate a new secret key for your two-factor authentication device. This is useful if you buy a new phone or otherwise need to set up a new 2FA app. To generate a new secret key:

  1. Return to the Password & Authentication tab.

  2. In the Two-Factor Authentication section, click Regenerate Secret Key.

  3. A new secret key and barcode will be generated for your account and displayed on the screen. Follow the instructions in the Enabling Two-Factor Authentication section to add the new key to your smartphone.

Disable Two-Factor Authentication

You can disable two-factor authentication for your Linode Manager account at any time.

  1. Return to the Password & Authentication tab.

  2. In the Two-Factor Authentication section, select Disable.

  3. A confirmation window appears asking if you want to disable two-factor authentication. Click OK.

Recovery Procedure

If you lose your token and get locked out of the Linode Manager, email support@linode.com to regain access to your account. Should you need us to disable your Two-Factor Authentication, the following information is required:

  1. An image of the front and back of the payment card currently associated with your account, which clearly shows the last 6 digits, expiration date, and cardholder name.
  2. An image of the front and back of a matching government-issued photo ID.

IP Address Whitelisting

IP address whitelisting restricts access to the Linode Manager to a set of IPs that you specify.

Enable Whitelisting

  1. Find and write down the IP address and netmask assigned to you by your ISP. They will usually be given on a statistics or dashboard page of your home router’s admin panel.

  2. Click the my profile link at the top right corner of the Linode Manager.

  3. Re-authenticate using your Linode user’s password.

  4. Go to the Password & Authentication tab of the Linode Manager.

  5. In the Account Security section, select ENABLED - Alerts will be sent and whitelisting will be enforced from the Status menu.

  6. Click Save security setting. The IP address whitelist feature will be enabled.

  7. Click Edit Whitelist to add your IP address.

  8. Enter your IP address and netmask, then click Add IP. You can add as many IP addresses as you want.

Add Additional IP Addresses Remotely

If you need to log in to the Manager from a new location:

  1. Attempt to log in to the Linode Manager from the new IP address, which will trigger an email notification from Linode which describes this login.

  2. This email includes a link which whitelists the new IP. Click the link to add it to your whitelist.

  3. Attempt your Linode Manager login again, which should now be successful.

Disable Whitelisting

  1. Return to the Password & Authentication tab.

  2. In the Account Security section, select DISABLED - No alerts will be sent and whitelisting will not be required from the Status menu.

  3. Click Save security setting.

Linode Event Notifications

By default, the Linode Manager automatically sends event notifications via email when any jobs are added to the Host Job Queue of one of your Linodes. Monitoring these emails will help you detect potential unusual activity on your servers, which could be a sign of an unauthorized login. You can also subscribe to an RSS feed of these notifications.

To review your event notification settings:

  1. Click the my profile link at the top right corner of the Linode Manager.

  2. Re-authenticate using your Linode user’s password.

  3. Go to the Notifications tab.

  4. The Events Email Notifications label will show whether email notifications are enabled or disabled. Click the Toggle Event Email Notifications button to adjust this setting.

RSS

The URL for your event notifications RSS feed is displayed in the Notifications tab. To regenerate the URL for the RSS feed, click the Generate a new RSS key button. If you regenerated the URL for the RSS feed, you will need to update it in your RSS reader.

Create a Backup User

Creating a second user on your account will allow you to log in to your account if you are locked out of your first user. For example, if the email address that your first user is associated with becomes inaccessible for any reason, then you will not be able to receive password reset and other notification emails from Linode for that user. In this situation, having a second user associated with a different email address is useful. In particular, it’s recommended that you use an email under a different domain, in case your first email’s domain is facing service or DNS issues.

This backup user should be created with unrestricted permissions so that you can fully administer your account from it. The Accounts and Passwords guide provides more information on creating a second user. It is recommended that you also enable this guide’s security measures for this backup user.

Other Security Measures

Configure Users for Other Team Members

If you have multiple individuals accessing the same Linode account, you should create separate user accounts for each individual. Once you’ve created the accounts, you can assign permissions to restrict access to certain areas of the control panel.

This is useful for groups that need to grant all team members access to the Linode Manager, or perhaps if you just want the billing department to have a separate account to receive invoices and billing information. The Accounts and Passwords guide provides more information on user creation and permissions. The Create an Account for a Developer to Work on Your Linode guide is also available and describes best practices when hiring a developer.

API Access

The Linode API is a programmatic interface for many of the features available in the Linode Manager. For this reason, the Linode Manager provides two security controls for your account’s API key. First, you can generate a new API key if you suspect that your existing key has been compromised. And if you’re not using the API key, you can remove access to it altogether.

See the API Key article for details.

Force Password Expirations

Your company’s policy may require users to change their passwords after a fixed interval of time. The Linode Manager can be configured to require password resets every 1, 3, 6, or 12 months. For more information, see the documentation on Passwords in the Linode Manager.

Join our Community

Find answers, ask questions, and help others.

comments powered by Disqus

This guide is published under a CC BY-ND 4.0 license.