~3 min read • Updated Mar 1, 2026
1. What Is Brute Force Monitor (BFM)?
Brute Force Monitor was introduced in DirectAdmin version 1.25.5. Initially, it only monitored login attempts on port 2222, but it has evolved into a powerful multi-service security system.
1.1 What BFM Can Do
- Detect and block failed login attempts to DirectAdmin (port 2222)
- Full integration with CSF Firewall (since version 1.61.0)
- Scan logs of multiple services for brute force attacks:
- Apache
- Dovecot
- Exim
- ProFTPD / Pure-FTPd
- SSHd
- Roundcube
- SquirrelMail
- phpMyAdmin
- Detect WordPress-specific attacks:
- wp-login.php
- xmlrpc.php
- Automatic log rotation to prevent disk overuse
- Notifications via:
- DirectAdmin Message System
- Email alerts
- Whitelist / Blacklist management
- Custom hook scripts for advanced automation
2. Enabling and Configuring BFM with IP Blocking (Recommended)
BFM can detect attacks on its own, but to actually block IPs, you need a firewall—preferably CSF/LFD.
2.1 Method 1: Fresh Installation with CSF Enabled
If CSF was not disabled during CustomBuild installation, DirectAdmin automatically installs and integrates CSF with BFM.
2.2 Method 2: Installing CSF on an Existing Server
- Install CSF:
da build set csf yes
da build csf
- Ensure SSH access is open (keep a second terminal active).
- Edit
/etc/csf/csf.confand change:
TESTING = "1"
to:
TESTING = "0"
Restart CSF:
csf -ra- Check DirectAdmin version (must be 1.61.0+):
/usr/local/directadmin/directadmin version
- Remove old hook scripts if they exist:
rm -f /usr/local/directadmin/scripts/custom/block_ip.sh
rm -f /usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh
rm -f /usr/local/directadmin/scripts/custom/show_blocked_ips.sh
rm -f /usr/local/directadmin/scripts/custom/unblock_ip.sh
rm -f /root/blocked_ips.txt
rm -f /root/exempt_ips.txt
3. Recommended BFM Settings
Go to:
Admin Level → Admin Settings → Security Tab
Recommended configuration:
| Panel Setting | Recommended Value | directadmin.conf Key | Description |
|---|---|---|---|
| Blacklist IPs for excessive login attempts | Enabled | bruteforce=1 | Enable BFM |
| Blacklist IPs after X failed DA logins | 10–20 | brutecount=20 | Failed login threshold |
| Blacklist IPs after XXX unauthorized connections | 100 | brute_dos_count=100 | Unauthorized requests threshold |
| Prevent 127.0.0.1 from being blacklisted | Enabled | exempt_local_block=1 | Protect localhost |
| Time before failed login count resets | 1200 seconds | brute_force_time_limit=1200 | Reset timer |
| Remove IP from blacklist after X minutes | 0 or 1440 | clear_blacklist_ip_time=0 | Auto-unblock time |
| Parse service logs for brute force attacks | Enabled | brute_force_log_scanner=1 | Scan all service logs |
| Notify Admins after an IP has X login failures | 100 | user_brutecount=100 | IP-based threshold |
| Notify Admins after a User has X failures from IP | 100 | ip_brutecount=100 | User-based threshold |
| Scan for WordPress attacks | Enabled | brute_force_scan_apache_logs=1 or 2 | Scan wp-login.php & xmlrpc.php |
4. Important Files and Troubleshooting
4.1 Key BFM Files
Located in /usr/local/directadmin/data/admin/:
- ip_blacklist – blocked IPs
- ip_whitelist – exempt IPs
- brute_skip.list – IPs ignored by BFM
- brute_log_entries.list – attack logs
- brute_user.data – user attempt counters
- brute_ip.data – IP attempt counters
4.2 If Brute Force Monitor Page Times Out
The log file is too large. Fix:
cd /usr/local/directadmin/data/admin
mv brute_log_entries.list brute_log_entries.list.backup
tail -n 1000 brute_log_entries.list.backup > brute_log_entries.list
chown diradmin:diradmin brute_log_entries.list
4.3 Hide Brute Force Notifications
Add to directadmin.conf:
hide_brute_force_notifications=1
Or send only email notifications:
brute_force_notifications_email_only=1
4.4 Customizing BFM Filters
Default filters:
/usr/local/directadmin/data/templates/brute_filter.list
Custom filters:
/usr/local/directadmin/data/templates/custom/brute_filter.list
Written & researched by Dr. Shahin Siami