My /var/log/btmp file is huge! What should I do?

Solution 1:

This means people are trying to brute-force your passwords (common on any public-facing server).

It shouldn't cause any harm to clear out this file.

One way to reduce this is to change the port for SSH from 22 to something arbitrary. For some additional security, DenyHosts can block login attempts after a certain number of failures. I'd highly recommend installing and configuring it.

Solution 2:

fail2ban can also be a great help for machines that must keep internet facing, port 22 SSH. It can be configured to use hosts.allow or iptables with flexible thresholds.


Solution 3:

You could also examine the file with the lastb command and determine the IP number and maybe block the IP number or network from further accessing your machine. This will also provide information as to the account being hacked. Most likely it will be root but you never know


Solution 4:

What I do, although I script it, is use the command like so:

lastb -a | awk '{print $10}' | grep -v ^192 | sort | uniq | sed '/^$/d'

**the "^192" is my local network first octet (non-routable) I automate this (also scripted) like so:

for i in `lastb -a | awk '{print $10}' | grep -v ^192 | sort | uniq | sed '/^$/d'`; do iptables -A INPUT -s $i -j DROP ; done
iptables-save

Or

for i in `lastb -a | awk '{print $10}' | grep -v ^192 | sort | uniq | sed '/^$/d'`
do
iptables -A INPUT -s $i -j DROP
done
iptables-save

Just different look for visibility... This works well for me

As for the size of the /var/log/btmp file you need to enable logrotate for that- look at you logrotate conf file for a similar file being rotated for how to do that- usually in /etc/logrotate.d/ - look at the syslog or yum for the format, and man logrotate will show you all the options. C4


Solution 5:

echo '' > /var/log/btmp

That will regain the space. Leave for a little to populate a bit then implement iptables, change ssh port or install and configure fail2ban