If your DirectAdmin control panel is protected by nothing more than a password, every website you host is one stolen credential away from total compromise. Enabling DirectAdmin two factor authentication setup adds a critical second layer that stops attackers cold — even when they already know your password. This guide walks you through every step: personal account setup, server-wide enforcement, backup code management, and lockout recovery.
Why 2FA Is Critical for DirectAdmin Servers
Brute-force attacks against control panel logins are relentless. Automated bots cycle through millions of password combinations around the clock, and credential-stuffing campaigns routinely use email/password pairs leaked from third-party breaches to target hosting panels. A single compromised admin account in DirectAdmin hands an attacker control over every reseller, every end-user, and every website on that server.
Two-factor authentication (2FA) — also called two-step authentication — requires a time-sensitive one-time code generated by an app on your phone in addition to your password. That code rotates every 30 seconds and is mathematically tied to a secret only your device holds. Even if an attacker captures your password via phishing or a database leak, the stolen credential alone is useless.
- Brute-force resistance: Each failed 2FA attempt is logged in DirectAdmin's
failed_loginsfile. Exceed thebrutecountthreshold and the attacker's IP is automatically added toip_blacklist. - Credential-stuffing defence: Reused passwords from external breaches cannot unlock your panel without the rotating TOTP code.
- Compliance alignment: Many hosting SLAs and data-protection frameworks now expect MFA on administrative interfaces.
If you manage multiple servers or are responsible for dozens of client sites, consider pairing 2FA with a proactive managed server management service to ensure every layer of your environment stays hardened.
Prerequisites Before Enabling 2FA in DirectAdmin
Before you begin, confirm the following items are in place. Skipping any of them is the most common reason 2FA setups fail or lock admins out.
1. A Compatible Authenticator App
DirectAdmin uses the open TOTP standard (RFC 6238), so any compatible app works. Popular choices include:
- Google Authenticator (Android / iOS) — most commonly referenced in DirectAdmin docs
- Authy — supports encrypted cloud backup of your secrets
- Microsoft Authenticator — good for teams already in the Microsoft ecosystem
- FreeOTP — open-source alternative from Red Hat
Install your chosen app and have your phone ready before proceeding.
2. Server Time Synchronisation
TOTP codes are time-based. If your server clock drifts more than 30 seconds from UTC, every code will be rejected. Verify and correct time sync before enabling 2FA:
# Check current server time vs UTC
timedatectl status
# Force an NTP sync (ntpdate)
ntpdate -u pool.ntp.org
# Or with chrony
chronyc makestepConfirm System clock synchronized: yes in the timedatectl output before continuing.
3. Access to directadmin.conf (Admin Only)
If you plan to enforce 2FA server-wide, you will need SSH root access to edit /usr/local/directadmin/conf/directadmin.conf. Personal account setup does not require SSH — it is done entirely through the panel GUI.
4. Your Admin IP Address
Note your current public IP before enabling 2FA. You will use it to whitelist yourself, ensuring you cannot be locked out of your own server.
How to Enable Two-Factor Authentication for Your Account
These steps apply to any DirectAdmin account type: admin, reseller, or end-user. The path is the same regardless of account level.
1. Log in to DirectAdmin and navigate to Two-Step Authentication
From your DirectAdmin dashboard, go to Your Name (top-right menu) → Password & Security → Two-Step Authentication. On older DirectAdmin themes the path may be Dashboard → Change your Password → Two-Step Authentication.
2. Generate your secret key
Click the Generate Secret button. DirectAdmin will display a unique secret key and a QR code. Do not close this page — you need it for the next step.
3. Scan the QR code in your authenticator app
Open Google Authenticator (or your chosen app) and tap the + / Add account button. Select Scan a QR code and point your camera at the code on screen. The app will immediately begin generating 6-digit codes that rotate every 30 seconds. If your camera cannot scan the code, choose Enter a setup key and type the alphanumeric secret shown below the QR code.
4. Test the code before saving
This step is critical and often skipped. In the Test your phone's code field, enter the current 6-digit code from your app and click Test Code. You should see a "Valid code" confirmation. If you see an error mentioning time discrepancy, address the server time sync issue described in the prerequisites section before proceeding.
5. Enable 2FA and save
Tick the checkbox labelled Require valid Two-Step Authentication Code to login to this account and click Save. From this point forward, every login for this account will require both the password and a valid TOTP code.
6. Verify the setup by logging out and back in
Log out of DirectAdmin completely. When you log back in with your credentials, you should be prompted for a six-digit code. Enter the current code from your authenticator app to confirm everything is working end-to-end.
How to Force 2FA for All Resellers and End Users
Most guides stop at personal account setup. As a server administrator managing multiple resellers and dozens of end-users, you need 2FA enforced at the infrastructure level — not left as an opt-in feature that users ignore.
Server-Wide Enforcement via directadmin.conf
SSH into your server as root and edit the main DirectAdmin configuration file:
nano /usr/local/directadmin/conf/directadmin.confLocate or add the following directives:
# Enable two-step authentication system-wide
twostep_auth=1
# Allow a time discrepancy tolerance (in 30-second windows)
twostep_auth_discrepancy=1
# Number of failed 2FA attempts before IP is blacklisted
max_twostep_auth_attempts=5
# Number of days a trusted browser cookie remains valid
twostep_auth_trust_days=30Save the file and restart DirectAdmin to apply the changes:
systemctl restart directadminImportant: Setting twostep_auth=1 enables the feature globally but does not retroactively configure authenticator apps for existing users. Each user must still scan their own QR code. What it does enforce is that any account that has 2FA enabled cannot bypass it, and new accounts are prompted to configure it.
Combine with IP Whitelisting for Defence in Depth
2FA is strongest when layered with IP whitelisting. Add your admin IP(s) to the DirectAdmin whitelist so that even if 2FA is misconfigured, your own access is protected:
# Add your IP to the whitelist (replace with your actual IP)
echo "203.0.113.45" >> /usr/local/directadmin/data/admin/ip_whitelist
# Restart DirectAdmin
systemctl restart directadminFor complete server hardening strategy, our team at CloudHouse offers a managed server management service that includes 2FA enforcement, CSF firewall configuration, and ongoing intrusion monitoring.
Generating and Storing Backup Scratch Codes Safely
Scratch codes are single-use emergency codes that bypass the TOTP requirement. They are your lifeline if your phone is lost, stolen, broken, or unavailable during an urgent login. Generating them is simple — storing them safely is where most admins fail.
1. Generate scratch codes
In the Two-Step Authentication settings page, locate the Scratch Codes section and click Generate Scratch Codes. DirectAdmin will display a set of one-time-use alphanumeric codes.
2. Copy and store them immediately
Each code can only be used once. Storage best practices:
- Print and secure: Print the codes and store them in a locked drawer or safe — physically separate from your server room.
- Password manager: Store them in a dedicated entry in Bitwarden, 1Password, or KeePass under a clearly labelled section.
- Encrypted note: An encrypted note in a secure vault application is acceptable.
- Never: Do not store scratch codes in plain text files, email drafts, Slack messages, or cloud notes without encryption.
3. Regenerate codes after use
If you use a scratch code, immediately log in and generate a new set. Treat scratch codes like cash — once spent, replace them.
Troubleshooting Common 2FA Issues in DirectAdmin
Issue: Code is always rejected even though it looks correct
This is almost always a server clock synchronisation problem. Fix it with:
ntpdate -u pool.ntp.org
# or
chronyc makestepIf you cannot fix the clock immediately, increase the discrepancy tolerance in directadmin.conf:
twostep_auth_discrepancy=2Issue: Locked out after too many failed attempts
# Remove your IP from the blacklist
nano /usr/local/directadmin/data/admin/ip_blacklist
# Restart DirectAdmin
systemctl restart directadminIssue: Lost access to the authenticator app with no scratch codes
# Edit the user config file to disable 2FA
nano /usr/local/directadmin/data/users/USERNAME/user.conf
# Change: twostep_auth=1 → twostep_auth=0
systemctl restart directadminIssue: QR code will not scan
- Use the Enter a setup key manual entry option in your authenticator app
- Ensure your phone camera is clean and has adequate lighting
- Try a different authenticator app
- Use a QR code reader app to decode the secret, then enter it manually
Securing your DirectAdmin panel with two-factor authentication is one of the highest-leverage security improvements a server administrator can make. By combining personal account 2FA with server-wide twostep_auth=1 enforcement, IP whitelisting, and a tested scratch-code recovery plan, you dramatically reduce your exposure to brute-force attacks and credential stuffing. If you would like expert help rolling out these controls across your entire server environment, the team at CloudHouse provides a fully managed server management service designed for exactly this kind of server hardening work.