I think the jury is out on that. What I read was "If only I had turned on two-factor ID at Gmail, the attack would have stopped there".

That assumes Google can't be social engineered. I highly doubt that.

Ever tried to contact someone there about a problem? I think it is effectively impossible to socially engineer Google.

_________________

/* TODO: need to add signature to posts */

I am a new customer, just logged in to the forum to post exactly about this...

I can NOT believe the whole linode service is protected by one single password, with the config as it is now whoever gains access to a mail address associated to a Linode gains access to linode dashboar ! From there some bastard might screw all our hard work of hundreds of hours, or even worse he might steal sensitive information/money, or worse it might be a skillful hacker who deploys a rootkit.

This issue should be of TOP PRIORITY you should enable a service to attach a cellphone number to the linode account, and send an SMS to authenticate the login process.

how could anyone gain access to your email account? you do have two factor on your email, don't you?

yes, but i would bet that most users doesn't have an email with two factor auth associated to linode

As the devils advocate, the problem you've presented would not be solved:

If we added two factor authentication, then people who turn on two factor auth for the Manager are almost certainly the same people who have it for their email. The people who don't bother with it in one place are likely the same ones who don't bother with it in the other.

- Les

akerl

With respect, getting access to the Linode Manager would be catastrophic regardless of how I setup my email. I have backups enabled on my production linodes. An unauthorized user could very easily create a new linode and restore the backup(s) to that new linode. They would then have access to everything I have in production: databases, code, users, passwords, etc.

As a simple two-factor implementation, Linode could easily integrate with Twilio and send a unique code via text message at login to a preconfigured mobile device. I would gladly pay $5/mo (hell, $50/mo) for that added security.

This, in my opinion, is urgent. I've been doing systems administration for a long time, and I've seen two-factor ignored every time until something horrible happens. Please, please, please do the right thing before it becomes an issue.

Please please please implement this.

I'm confused - is the sky falling or not?

Will one of you chicken little's please explain it (using short simple words).

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

In the Linode Guides there is strong emphasis placed on key-pair authentication over passwords. Great advice, but your system of Linodes is only as strong as its weakest link, and that is the Linode Manager - a single password-based access point to EVERYTHING. Strengthening the security on all machines in your account is akin to placing a huge lock on a flimsy door, a.k.a a waste of time.

I strongly agree with everyone pressing for stronger protection on the Linode Manager. It is sorely lacking.

Bah.

Just want to +100 this. It really renders any OS level hardening we do on the VPSs rather pointless when the back door is a simple password system.

I would love to see this as well. I use two factor auth with Google for my email and my ssh access to my linode. I also use DuoSecurity for two-factor auth to my RDP on my home computer. Linode should at least offer it imo.

That being said, limiting access to the linode manager based on IP is still a great way to help protect yourself.

Two factor on the web site wouldn't make a difference, because you can control nodes via the api.
You can't turn off the api off either, because you can create an api key through the api using a username/password.

However, you can protect yourself by using full disk encryption, if someone does get into your account via the website or api, rebooting the node won't help them because it needs a password to boot. Linode could help here by making this easier for us, but it's doable now without linodes help.

so DrJ, do you have FDE?

@Chesty, IMO there should be an option to disable generation of API keys via the API itself (from a simple username/password) IMO (why would anyone need to do this anyway? I don't know of any other web API that operates like this). I don't really think we should be having to resort to workarounds like FDE to ensure a fairly basic level of security.