In DirectAdmin you can block commands server-wide or only for specific user(s). The commands that can be blocked can be found at:

https://www.directadmin.com/api.html
https://www.directadmin.com/search_versions.php?help=no&versions=yes&query=CMD_API_
https://www.directadmin.com/search_versions.php?help=no&versions=yes&query=CMD_

A. Block DirectAdmin commands globally

To block commands for all the users on the server, you must use the never_commands setting in /usr/local/directadmin/conf/directadmin.conf file.

For example, to block the possibility of creating new admin accounts, use:

never_commands=CMD_ACCOUNT_ADMIN:CMD_API_ACCOUNT_ADMIN

Restart DirectAdmin with:

service directadmin restart

B. Block DirectAdmin commands per user

For specific user blocking, you must use the files commands.allow and commands.deny. (this is very similar to the CSF files – csf.allow and csf.deny)

/usr/local/directadmin/data/users/USERNAME/commands.allow
/usr/local/directadmin/data/users/USERNAME/commands.deny

In the commands.allow you will have of course, the allowed commands and in the commands.deny, the blocked commands. These files do not exist by default, so you may need to create them. Add one command per line. Few rules to consider:

– commands.allow overrides commands.deny. If an item is in both, the command will be allowed.
– if commands.allow exists, but is empty, that User will not be able to do anything
– adding commands to commands.allow that do not exist in the given accounts access level won’t work

DA help

For example to block the USER11 ability to edit PHP settings, add the line

CMD_PHP_SETTINGS

to the file

/usr/local/directadmin/data/users/USER11/commands.deny

If a user will try to execute a blocked command, a denied message will be shown:

You cannot execute that command
The request you've made cannot be executed because it does not exist in your authority level
directadmin block commands
Blocked command message in DA

Links:
never_commands
commands.allow and commands.deny
commands_force_deny