One can always check logs:
- /var/log/directadmin/2022-Jul-*.log
- /var/log/directadmin/2022-Jun-*.log
- /var/log/directadmin/2022-May-*.log
etc
for any logins from unknown/not-trusted IPs:
Code:
grep "POST /CMD_LOGIN" /var/log/directadmin/2022-*.log
The suggested code will list LOGIN requests with IPs from which they were made. If you see a login attempt from unknown IPs, you might check the entire log, which contains the record for further entries with the particular IP.
The mentioned logs can not be either emptied or removed from Directadmin, so even if somebody hijacked your password for DirectAdmin, they hardly could affect the logs. So, the logs can be trusted.
Beside the logs, DirectAdmin shows in the interface a list of last connections/logins with IPs. They also can be trusted, as neither admin nor users can truncate the lists of last visits.
It's near to impossible to brute-force and guess a strong password for DirectAdmin, as the control panel will block IPs, unless the protection against brute-force is disabled in the panel. Thus if they really accessed DirectAdmin it could happen only when they've stolen your password by other means. I hope you've always connected to DirectAdmin over HTTPs.