Linode Cloud Manager Security Controls

Updated by Linode Written by Linode

Contribute on GitHub

Report an Issue | View File | Edit File

The Linode Cloud Manager is the gateway to all of your Linode products and services, and you should take steps to protect it from unauthorized access.

Linode Cloud Manager Security Controls

This guide documents several of the Linode Cloud Manager’s features that can help mitigate your risk. Whether you’re worried about malicious users gaining access to your username and password, or authorized users abusing their access privileges, the Linode Cloud Manager’s built-in security tools can help.

Start by enabling two-factor authentication to protect your account with a physical token, and then configure security event notifications for your Linode account. You’ll also learn how to control API access, configure user accounts, and force password expirations.

Two-Factor Authentication

Two-factor authentication increases the security of your Linode account by requiring two forms of authentication: something you have, and something you know. You’re already familiar with this concept if you’ve ever used a debit card at an ATM. The debit card is something you have, and the PIN access code is something you know. You need both the debit card and the PIN to access your bank account.

Diagram of two-factor authentication with SSH login.

If you enable this optional feature in the Linode Cloud Manager, you’ll access your Linode account using your smartphone as a physical token in addition to your username and password. This additional layer of security reduces the risk that an unauthorized individual will gain access to your Linode account.

Select a Token Application

Before you enable two-factor authentication in the Cloud Manager, select a token application for your smartphone. This guide will use Authy as an example, but you can use any application that supports the Time-based One-Time Password (TOTP) algorithm. For example, you can use any of the following applications:

Install one of these applications on your smartphone before continuing.

Authy stores your authentication tokens (hashed for security) on their servers. This makes it possible for them to support backing up and restoring tokens, as well as making it easy to switch devices. However, some users may not be comfortable storing sensitive information in the cloud; for these users, Google Authenticator is a better choice, as the authentication keys are only stored locally.

Enable Two-Factor Authentication

Enable two-factor authentication to start using it with your Linode account.

  1. Log in to the Linode Cloud Manager.
  2. Select the My Profile link by clicking on your username at the top of the page:

Select 'My Profile'

  1. Select the Password & Authentication tab.
  2. In the Two-Factor Authentication (TFA) section, toggle the Disabled switch so that it reads Enabled to enable Two-Factor Authentication.
  3. A new form (depicted below) will appear. Write down the Secret Key and store it in a safe place:

    The key and QR code for two-factor authentication.

  4. On your smartphone, open Authy.

  5. Tap Add Account.

  6. Tap SCAN QR CODE.

  7. Point your device’s camera at the barcode on your computer screen. The app creates a new token for your Cloud Manager login, automatically. It will be labeled LinodeManager:user. Change the account name if necessary, and press Done.

  8. In the Token field of the Two-Factor Authentication form, enter the Linode Token, and click Save.

That’s it! You’ve successfully enabled two-factor authentication and set up token generation on your smartphone.

Log in with Two-Factor Authentication

Now that you have set up two-factor authentication for your account, you’ll need to have your token available whenever you log in to your account. Here’s how to log in to the Linode Cloud Manager with two-factor authentication enabled:

  1. Open the Linode Cloud Manager in your web browser.

  2. On your smartphone, open Authy, and then select your LinodeManager:user account.

  3. In your web browser, enter your username and password and click Log in. The webpage shown below appears.

    Enter your token.

  4. Enter your token, and then click Authenticate. Checking the box below the authentication option will add your computer to the trusted computer list for 30 days, and generate a confirmation email to the address on file for your account.

You have successfully logged in to the Linode Cloud Manager using two-factor authentication.

Generate a New Key

The Linode Cloud Manager allows you to generate a new secret key for your two-factor authentication token device. This is a good way to start using a new smartphone as your two-factor token device. Here’s how to generate a new secret key:

  1. Log in to the Linode Cloud Manager.
  2. Select the My Profile link by clicking on your username at the top of the page:

Select 'My Profile'

  1. Select the Password & Authentication tab.
  2. In the Two-Factor Authentication (TFA) section, click Reset two-factor authentication, as shown below.

    Reset two-factor authentication.

A new secret key and barcode will be generated for your account and displayed on the screen. Follow the instructions in the Enabling Two-Factor Authentication section to add the new key to your smartphone.

Disable Two-Factor Authentication

You can disable two-factor authentication for your Linode account at any time. Here’s how:

  1. Log in to the Linode Cloud Manager.
  2. Select the My Profile link by clicking on your username at the top of the page:

Select 'My Profile'

  1. Select the Password & Authentication tab.
  2. In the Two-Factor Authentication (TFA) section, toggle the Enabled switch to disable two-factor Authentication.
  3. A confirmation window appears asking if you want to disable two-factor authentication. Click Disable Two-Factor Authentication.

You have successfully disabled the two-factor authentication feature for your Linode Cloud Manager account.

Recovery Procedure

If you lose your token and get locked out of the Manager, email [email protected] to regain access to your account.

Should you need us to disable your Two-Factor Authentication, the following information is required:

  1. An image of the front and back of the payment card currently associated with your account, which clearly shows the last 6 digits, expiration date, and cardholder name.
  2. An image of the front and back of a matching government-issued photo ID.

Manage Trusted Devices

Whenever you log into the Cloud Manager from a new device or computer, you can choose to Trust this computer for 30 days. This means your device will not be prompted for a username or password for 30 days. The Cloud Manager displays a list of all trusted devices for your account and gives you the ability to untrust any device on the list. Your account’s associated email address will also be notified whenever a new device is trusted. To view and manage your account’s trusted devices:

  1. Log in to the Linode Cloud Manager.
  2. Select the My Profile link by clicking on your username at the top of the page:

    Select 'My Profile'

  3. Select the Password & Authentication tab and navigate to the Trusted Devices section.

    View trusted devices

    You can view all your account’s trusted devices and untrust any device, as needed. Any device that is untrusted, will be prompted to re-enter their username and password when attempting to log into your Cloud Manager account.

API Access

The Linode API is a programmatic interface for many of the features available in the Cloud Manager. It’s an indispensable tool for developers, but it’s also a potential attack vector. For this reason, the Linode Cloud Manager provides two security controls for your account’s API key. First, you can generate a new API key if you suspect that your existing key has been compromised. And if you’re not using the API key, you can remove access to it altogether.

For details on generating and removing API keys, please see the API Key article.

Next Steps

If you’ve completed this guide, you’ve proactively taken steps to protect your Linode account. There are a couple of other steps that some users should take to secure their Linode accounts. Take some time and work through the following action items outlined in our other guides.

Configure User Accounts

Organizations that have multiple individuals accessing the same Cloud Manager account should create separate user accounts for each individual. Once you’ve created the accounts, you can assign permissions to restrict access to certain areas of the control panel. This is useful for groups that need to grant all team members access to the Cloud Manager, or organizations that just want their billing department to have a separate account to receive invoices and billing information. For more information, see our guide on Accounts and Passwords.

Join our Community

Find answers, ask questions, and help others.

comments powered by Disqus

This guide is published under a CC BY-ND 4.0 license.