LogoفارسیFA

DirectAdmin Security and Advanced Features

DirectAdmin is one of the most secure and flexible hosting control panels available. This guide covers essential security features including SSL on port 2222, Login Keys, Two-Factor Authentication, Security Questions, Brute Force Protection, and advanced customization options for securing your server.

secure and flexible hosting controlsecuring

~3 min read • Updated Mar 1, 2026

1. Securing DirectAdmin on Port 2222 with SSL


SSL encrypts the connection between the browser and the server, protecting sensitive data such as passwords and personal information from interception or tampering.

1.1 How to Enable SSL for DirectAdmin

DirectAdmin supports SSL on port 2222 by default. To enable it:

  1. Install a valid SSL certificate (Let’s Encrypt recommended).
  2. Edit /usr/local/directadmin/conf/directadmin.conf and ensure the following lines exist:

textssl=1
ssl_redirect_host=yourdomain.com
ssl_redirect_port=2222

Restart DirectAdmin:

systemctl restart directadmin

DirectAdmin will now be accessible only via https://yourdomain.com:2222.

---

2. What Is a Login Key and How Is It Created?


A Login Key is an additional security layer that allows you to generate temporary or restricted access keys instead of sharing your main password. These keys are ideal for API usage, scripts, or temporary technician access.

2.1 Login Key Features

  • Usage limits (one-time or unlimited)
  • Expiration date
  • Automatic deletion after use or expiration
  • IP restrictions
  • Command restrictions (CMD_*)
  • Disable HTML access to prevent browser login

2.2 How to Create a Login Key

  1. Log in as the target user (e.g., admin).
  2. Navigate to: User Level → Login Keys
  3. Click Create Key.
  4. Fill in the fields:
  • Key Name: for your reference
  • Key Value: generate randomly
  • Expires On: expiration date
  • Clear Key: delete after expiration
  • Allow HTM: enable only if browser login is needed
  • Commands: select only required CMD_* actions
  • Allowed IPs: restrict access to specific IPs
  • Current Password: enter your current password

The key will be shown only once—copy and store it securely.

2.3 Practical Use Cases

  • API for email management: allow only CMD_API_POP, CMD_API_EMAIL_VACATION
  • DNS Clustering: allow CMD_API_DNS_ADMIN, CMD_API_LOGIN_TEST
  • Technician access: enable HTML, set expiration to 5 days, restrict IP
---

3. Enabling Two-Factor Authentication and Security Questions


3.1 Two-Step Authentication (2FA)

  1. Go to: Dashboard → Change Password → Two-Step Authentication
  2. Scan the QR code using Google Authenticator, Authy, or FreeOTP
  3. Enter the temporary code
  4. Save your Scratch Codes for emergency access

3.2 Security Questions

In the same section, configure your Security Questions for additional protection.

3.3 Important Security Note

Failed attempts for 2FA or Security Questions are logged in failed_logins. If attempts exceed brutecount, the IP is added to ip_blacklist.

To unblock yourself:

/usr/local/directadmin/data/admin/ip_blacklist

To prevent future blocks, add your IP to:

/usr/local/directadmin/data/admin/ip_whitelist
---

4. Brute Force Monitoring and Attack Prevention


DirectAdmin includes two brute-force detection systems:

4.1 For DirectAdmin Login (Port 2222)

Navigate to:

Admin Level → Admin Settings → Blacklist IPs for excessive login attempts

Recommended value: 10–20 attempts.

4.2 For Other Services

Apache, Exim, Dovecot, SSH, ProFTPd:

Admin Level → Admin Settings → Parse service logs for brute force attacks

Monitor attacks via:

Admin Level → Brute Force Monitor

4.3 Hide Brute Force Notifications

If notifications are too frequent:

hide_brute_force_notifications=1

Add this to directadmin.conf and restart DirectAdmin.

4.4 WordPress xmlrpc.php Attacks

If “Scan for WordPress attacks” is enabled, even successful POST requests to xmlrpc.php (HTTP 200) are counted as attacks—weighted x4.

4.5 Custom Page for Blocked IPs

Create this file to replace the default block message:

/usr/local/directadmin/data/templates/custom/blacklisted_ip.html

You can display any custom HTML message to blocked visitors.

Written & researched by Dr. Shahin Siami

Next Article