Log Location:/var/log/btmp, /var/log/wtmp To rotate the btmp log add the below to the logrotate.conf file located in the /etc directory.
Addition to logrotate.conf for btmp:
/var/log/btmp {
monthly
minsize 1M
create 0600 root utmp
rotate 1
}
You can change the amount of archived files you keep by modifying the number after rotate. Make sure that the “create 0600 root utmp” statement is in this configuration as the btmp file can be used by crackers to gain access to your server. One of the more common mistakes when logging into a server is typing the password instead of the username so crackers could possibly gain access by reading the btmp log file.
If you want to read the list of failed login attempts to look for patterns to help make your server more secure then use the command below.
How to Read btmp Log:
last -f /var/log/btmp
This will provide an output like the below.
Example btmp Entries:
test2 ssh:notty 202.69.197.99 Sun Sep 20 16:45 – 16:45 (00:00)
test2 ssh:notty 202.69.197.99 Sun Sep 20 16:45 – 16:45 (00:00)
test1 ssh:notty 202.69.197.99 Sun Sep 20 16:45 – 16:45 (00:00)
test1 ssh:notty 202.69.197.99 Sun Sep 20 16:45 – 16:45 (00:00)
test ssh:notty 202.69.197.99 Sun Sep 20 16:45 – 16:45 (00:00)
to keep the file there and clear its contents.
echo “” > /var/log/btmp
or simply just use lastb
lastb
Then spice it up a little bit …
Show the top 10 IPs with failed logins (first column is failed # of tries, then 2nd column is the IP)
lastb | awk '{print $3}' | sort | uniq -c | sort -rn | head -10
Show the top 10 usernames with failed logins
lastb | awk '{print $1}' | sort | uniq -c | sort -rn | head -10