For our Blog Visitor only Get Additional 3 Month Free + 10% OFF on TriAnnual Plan YSBLOG10
Grab the Deal
youstable-blog-sidebar

How to Monitor & Secure DirectAdmin on Linux Server – Easy Guide

Prahlad Prajapati 8 min read

To monitor and secure DirectAdmin on a Linux server, keep the OS and DirectAdmin updated, enforce a firewall (CSF/LFD), enable Brute Force Monitor, force SSL and 2FA on port 2222, add ModSecurity with OWASP rules, deploy malware and rootkit scanners, audit logs with alerts, and automate offsite, encrypted backups.

DirectAdmin is a lightweight, reliable hosting control panel—but like any Internet-facing service, it must be hardened and continuously monitored. In this guide, you’ll learn exactly how to monitor and secure DirectAdmin on a Linux server using proven configurations and tools that balance performance, usability, and strong security.

Search Intent: What You’ll Achieve

If you’re running DirectAdmin on CentOS, AlmaLinux, Rocky Linux, Debian, or Ubuntu, this tutorial shows step-by-step security hardening, live monitoring, log analysis, malware detection, email abuse prevention, and backup strategies. It’s written for beginners and admins alike, based on real-world hosting experience.

Understand DirectAdmin’s Attack Surface

Default Ports and Core Services

  • DirectAdmin panel: 2222 (recommend HTTPS + optional custom port)
  • Web stack: Apache/Nginx, PHP-FPM
  • Mail: Exim (SMTP), Dovecot (IMAP/POP3), SpamAssassin/Rspamd
  • Databases: MariaDB/MySQL
  • FTP: Pure-FTPd/ProFTPD
  • DNS: BIND/PowerDNS (optional)

Common Weak Spots to Fix Early

  • Outdated OS, kernel, or DirectAdmin/CustomBuild stacks
  • Weak passwords, no 2FA, no enforced SSL for the panel
  • Open firewall ports or poor rate limits on mail
  • Insecure PHP settings and missing WAF (ModSecurity)
  • No malware/rootkit scanning or alerting

Quick Hardening Checklist (Do This First)

  • Update OS, kernel, DirectAdmin, and all services
  • Install and configure CSF/LFD firewall + DirectAdmin plugin
  • Enable Brute Force Monitor (BFM) with sane lockouts
  • Force SSL on DirectAdmin and enable Two-Factor Authentication
  • Install ModSecurity + OWASP CRS, tighten PHP
  • Deploy ClamAV + Maldet, RKHunter, and auditd
  • Set up log monitoring with alerts; consider Netdata
  • Configure DKIM/SPF/DMARC and outbound mail limits
  • Automate encrypted, remote backups and test restores

Keep DirectAdmin and the OS Updated

Staying current closes known vulnerabilities fast. Update both the OS and the DirectAdmin stack (via CustomBuild) on a schedule.

# OS update (AlmaLinux/Rocky/CentOS Stream)
dnf update -y

# OS update (Debian/Ubuntu)
apt update && apt full-upgrade -y

# Update DirectAdmin CustomBuild and services
cd /usr/local/directadmin/custombuild
./build update
./build versions
./build all d
./build php n
./build rewrite_confs

# Enable automatic updates (recommended in low-risk windows)
echo 'action=directadmin&value=auto' > /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d800

Subscribe to DirectAdmin and OS security announcements, and apply security-only updates weekly. Reboot for kernel updates during maintenance windows.

Firewall and Intrusion Prevention with CSF/LFD

CSF (ConfigServer Security & Firewall) plus LFD (Login Failure Daemon) provides robust host firewalling and abuse detection. DirectAdmin has a native CSF plugin for easy management.

# Install prerequisites
dnf install perl-libwww-perl perl-LWP-Protocol-https -y || apt install libwww-perl -y

# Install CSF
cd /usr/src
rm -rf csf
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz && cd csf
sh install.sh

# Test if required iptables modules are present
perl /usr/local/csf/bin/csftest.pl

# Enable CSF
sed -i 's/^TESTING = "1"/TESTING = "0"/' /etc/csf/csf.conf
csf -r
systemctl enable lfd --now

Open only necessary ports. Include DirectAdmin, web, mail, and SSH. Tighten rate limits and use LFD to auto-block brute-force attempts.

# Example core ports (adjust to your setup)
/etc/csf/csf.conf:
TCP_IN = "22,25,53,80,110,143,443,465,587,993,995,2222"
TCP_OUT = "25,53,80,443,587,993,995"
UDP_IN = "53"
UDP_OUT = "53,123"

# Popular hardened tweaks
CT_LIMIT = "75"
CONNLIMIT = "22;5,80;40,443;40,2222;5"
LF_SSHD = "5"
LF_DA = "5"
LF_DISTATTACK = "1"
LF_EMAIL_ALERT = "1"
PS_INTERVAL = "3600"
PT_USERPROC = "75"

# Apply and restart
csf -r && systemctl restart lfd

Install the “CSF” plugin from DirectAdmin’s Plugin Manager for GUI control. Consider country blocking sparingly; it can cause false positives.

Enable and Tune DirectAdmin Brute Force Monitor (BFM)

BFM correlates failed logins across services and can trigger CSF blocks. Enable and tune it:

  • Admin Level > Admin Tools > Brute Force Monitor
  • Enable “Block IPs with too many failed attempts”
  • Set thresholds (e.g., 5 attempts in 10 minutes; ban for 24 hours)
  • Enable notifications to admin email
  • Whitelist your office/monitoring IPs

Force SSL, Change Port, and Add Two-Factor Authentication

Issue a Valid SSL for the Hostname

Use Let’s Encrypt for the DirectAdmin hostname (e.g., server.example.com). Ensure the hostname DNS A record points to the server.

# Built-in Let’s Encrypt for DirectAdmin hostname
/usr/local/directadmin/scripts/letsencrypt.sh request_single server.example.com 4096
# Force SSL
echo "ssl=1" >> /usr/local/directadmin/conf/directadmin.conf
systemctl restart directadmin

Change the DirectAdmin Panel Port (Optional)

Changing the default port 2222 reduces noise from opportunistic scans. Update the config and firewall together.

# Change DirectAdmin port to 2443 (example)
sed -i 's/^port=2222/port=2443/' /usr/local/directadmin/conf/directadmin.conf
csf -a YOUR_TRUSTED_IP
csf -ra
systemctl restart directadmin

Enable Two-Factor Authentication (2FA) and Login Keys

In DirectAdmin: User/Reseller/Admin Level > Password & Security > Two-Step Authentication. Scan the QR with an authenticator app and mandate 2FA for all staff. For scripts and automation, use “Login Keys” instead of passwords.

Web Stack Hardening: ModSecurity, OWASP CRS, PHP-FPM

Enable a Web Application Firewall (WAF) to block common attacks and sanitize malicious payloads at the edge.

# Install ModSecurity + OWASP CRS via CustomBuild
cd /usr/local/directadmin/custombuild
./build update
./build modsecurity on
./build modsecurity_crs on
./build apache
./build rewrite_confs

Harden PHP settings globally, then override per-domain when needed.

# Common php.ini hardening (adjust for your version/handler)
expose_php = Off
display_errors = Off
log_errors = On
memory_limit = 256M
post_max_size = 32M
upload_max_filesize = 32M
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,show_source,putenv
allow_url_fopen = Off
session.use_strict_mode = 1

Use PHP-FPM with per-user pools for isolation. In DirectAdmin’s CustomBuild, prefer “php-fpm” and enable open_basedir protection where compatible with your apps.

Email Abuse Controls (Exim/Dovecot)

  • Enable DKIM: Admin Level > DNS Administration > Enable DKIM (default in newer DA)
  • Publish SPF and DMARC records for each domain
  • Set outbound rate limits per user to prevent spam bursts
  • Enable reputable RBLs (Spamhaus, Barracuda) in Exim
  • Run SpamAssassin/Rspamd and keep signatures updated
# Example: restrict outbound SMTP to authenticated users only (CSF)
SMTP_BLOCK = "1"
SMTP_ALLOWUSER = "mail,exim"
# Rate limit from Exim configs or through DA > Exim settings

Monitor /var/log/exim/mainlog and /var/log/maillog for spikes. Lock compromised accounts quickly via DirectAdmin and rotate passwords with 2FA.

Malware and Intrusion Detection

Combine signature-based scanning with rootkit checks and file integrity monitoring for defense in depth.

# ClamAV + Maldet (LMD)
cd /usr/local/directadmin/custombuild
./build clamav
# Maldet install
cd /usr/local/src
curl -L https://www.rfxn.com/downloads/maldetect-current.tar.gz -o maldetect.tar.gz
tar -xzf maldetect.tar.gz && cd maldetect-*
./install.sh
# Integrate ClamAV with Maldet
maldet --config-option scan_clamscan=1

# RKHunter
dnf install rkhunter -y || apt install rkhunter -y
rkhunter --propupd
rkhunter --check --sk

Schedule daily scans and email reports. For compliance, add auditd or AIDE to track sensitive file changes.

# auditd
dnf install audit -y || apt install auditd -y
systemctl enable --now auditd
auditctl -w /etc/passwd -p wa -k userdb
auditctl -w /etc/ssh/sshd_config -p wa -k sshcfg

Monitoring and Log Visibility

  • System health: Netdata, Prometheus Node Exporter, or Zabbix Agent
  • Web logs: GoAccess for real-time access/error insights
  • Alerts: LFD email alerts for brute force, process anomalies
  • Reports: Logwatch daily summaries
# Netdata (one-line installer)
bash <(curl -Ss https://my-netdata.io/kickstart.sh)

# GoAccess (real-time web log analytics)
dnf install goaccess -y || apt install goaccess -y
goaccess /var/log/httpd/access_log -o /var/www/html/report.html --real-time-html
# Adjust paths for Nginx/Piped logs under DirectAdmin

Key logs to watch: /var/log/directadmin/error.log, /var/log/secure, /var/log/messages, /var/log/exim/mainlog, /var/log/maillog, web access/error logs, and PHP-FPM error logs per version.

Backups, Snapshots, and Restore Testing

  • DirectAdmin > Admin Backup/Transfer: schedule daily/weekly backups
  • Store offsite (S3/Wasabi, remote FTP, or object storage) with encryption
  • Keep 7–30 days of retention depending on RPO/RTO needs
  • Test restores quarterly to validate integrity

For full-server safety, combine DirectAdmin backups with provider snapshots or filesystem-level backups. Never rely on a single backup method.

SSH and System Hardening Essentials

  • Use key-based SSH; disable PasswordAuthentication
  • Change SSH port and restrict by IP with CSF
  • Limit sudo to a small admin group; log all privilege uses
  • Enable chrony/systemd-timesyncd for accurate time
  • Harden sysctl (SYN cookies, ICMP, IPv6 only if needed)
# SSH hardening
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart sshd

# Basic network hardening
cat >> /etc/sysctl.d/99-hardening.conf <<EOF
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
EOF
sysctl --system

Ongoing Maintenance and Audits

  • Monthly: apply updates, review firewall rules, rotate keys/passwords
  • Weekly: check logs, BFM/CSF hits, mail queue, disk usage
  • Quarterly: full security audit with Lynis and restore tests
# Lynis for security auditing
dnf install lynis -y || apt install lynis -y
lynis audit system

Troubleshooting and Safe Rollbacks

  • Locked out by firewall? Use console/KVM to run: csf -x to disable, then fix rules
  • New WAF rules breaking apps? Temporarily disable a rule ID and log hits before tuning
  • Before major updates, snapshot the VM and ensure current backups exist
  • Firewall/IPS: CSF/LFD + DirectAdmin BFM
  • WAF: ModSecurity + OWASP CRS
  • Malware/Rootkits: ClamAV, Maldet, RKHunter
  • Integrity/Forensics: auditd, AIDE (optional)
  • Monitoring: Netdata/Prometheus, GoAccess, Logwatch
  • Backup: DirectAdmin Admin Backup + remote object storage

FAQs: Monitoring & Securing DirectAdmin on Linux

What is the fastest way to harden a fresh DirectAdmin install?

Update everything, install CSF/LFD, enable BFM, force SSL and 2FA on the panel, deploy ModSecurity with OWASP CRS, and set up ClamAV/Maldet. Then restrict SSH and configure daily backups. This covers the biggest risks immediately.

Should I change DirectAdmin’s default port 2222?

It’s optional. Changing the port reduces bot noise but isn’t a primary defense. Stronger measures are SSL, 2FA, BFM/CSF rules, and timely updates. If you change it, remember to adjust firewall rules and documentation.

Do I need both BFM and CSF/LFD?

Yes. BFM understands DirectAdmin service logs and coordinates with CSF/LFD to block offenders. LFD adds system-wide intrusion prevention, rate limits, and process anomaly alerts. Together they deliver layered protection.

How do I monitor DirectAdmin performance in real time?

Use Netdata for live CPU, RAM, disk, and network metrics; GoAccess for web traffic; and LFD/Logwatch for alerts and summaries. Add external uptime monitoring and set alert thresholds for actionable notifications.

What’s the best backup strategy for DirectAdmin servers?

Schedule daily incremental and weekly full backups via DirectAdmin to remote object storage with encryption. Keep 7–30 days of retention, and test restores quarterly. Complement with provider snapshots before major changes.

Prahlad Prajapati

Prahlad is a web hosting specialist and SEO-focused organic growth expert from India. Active in the digital space since 2019, he helps people grow their websites through clean, sustainable strategies. Passionate about learning and adapting fast, he believes small details create big success. Discover his insights on web hosting and SEO to elevate your online presence.

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Articles

Scroll to Top