How to Read /var/log/btmp, Rotate the btmp Log With Logrotate
Posted by alex in Insights at 9:53 PMThe btmp log keeps track of failed login attempts. I have seen on a default linux setup with logrotate configured where the btmp log is left out of rotation and eventually grows out of hand. So first you want to make sure that the btmp log is rotated using logrotate with the below information.
Log Location:/var/log/btmp
To rotate the btmp log add the below to the logrotate.conf file located in the /etc directory.
Addition to logrotate.conf for btmp:
/var/log/btmp {
monthly
minsize 1M
create 0600 root utmp
rotate 1
}
You can change the amount of archived files you keep by modifying the number after rotate. Make sure that the “create 0600 root utmp” statement is in this configuration as the btmp file can be used by crackers to gain access to your server. One of the more common mistakes when logging into a server is typing the password instead of the username so crackers could possibly gain access by reading the btmp log file.
If you want to read the list of failed login attempts to look for patterns to help make your server more secure then use the command below.
How to Read btmp Log:
last -f /var/log/btmp
This will provide an output like the below.
Example btmp Entries:
berrie ssh:notty 121.130.202.148 Thu Jul 2 06:02 - 06:02 (00:00) berrie ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:02 (00:00) berri ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) berri ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) berni ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) berni ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) brenice ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) brenice ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) berni ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) berni ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernhard ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernhard ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernardo ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernardo ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernardi ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernardi ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernard ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernard ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernadin ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernadin ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernadin ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernadin ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernadet ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernadet ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernaden ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) bernaden ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) berna ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) berna ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00) berget ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
As you can see the 121.130.202.148 address is running some type of brute force against this server in an attempt to gain access. Now you could add this IP address to your iptables or other firewall to defend against such an attack.
|
|
||||||||
|
|
||||||||
Related posts:
- Logrotate NAME logrotate – rotates, compresses, and mails system logs SYNOPSIS...
- How To Rotate The Cacti Logs File: cacti.log Cacti is an open source tool that polls network devices...
- Setup Log Rotation for Multiple Ruby on Rails Projects Using Linux logrotate Setting up log rotation for multiple Ruby on Rails projects...
- HP w2408h Auto Rotate Not Working If you have an HP w2408h and want to test...
- How to Read CHM Files on iPod Touch or iPhone You have a couple options with reading CHM files (a...
Entries (RSS)
Thanks. my btmp has filled up my server.
Need to do some emergency delete of that file.
* Is it ok just to delete it?
I suspect not.
if not is there a linux command that says:
# “empty files contents but do not delete it”
Also would be handy to be able to simply block access from the ip that is doing the attempts. i feel like a sitting duck watching the same ip trying each variation of paswords on my mail accounts.
Can i set something somewhere that says “If IP address xyz attempts to connect in anyway to this machine …say no”
[Reply]
alex Reply:
October 27th, 2009 at 2:50 PM
Hello anon,
You can set it up to rotate the file, then run logrotate immediately, and then delete the rotated file. I would suggest rotating it out first and then deleting the rotated file.
Hope that helps.
Thanks.
alex
[Reply]
Noticed the same thing on my server, looks like contents are not so clear though. Wonder what the differences between btmp and secure are.
@anon, you can probably do an:
echo “” > /var/log/btmp
to keep the file there and clear the contents.
Blocking brute force IPs is probably a good idea, there is a nice python deamon that automatically does this, parsing from /var/log/secure, called denyhosts.
[Reply]
alex Reply:
October 27th, 2009 at 2:51 PM
Hello Justin,
Great. Thanks for the extra info.
Thanks.
alex
[Reply]
Great article, very informative.
Thank You
[Reply]
alex Reply:
February 15th, 2011 at 7:21 PM
Hello Aditya,
No problem. Thanks for taking the time to leave feedback.
Thanks.
alex
[Reply]
just a note you can also use the lastb command in lieu of last, which assumes the btmp log file
so
lastb
is the equivalent to
last -f /var/log/btmp
[Reply]
alex Reply:
April 5th, 2011 at 2:00 AM
Hello jalama,
Thanks for taking the time to note that!
Thanks.
alex
[Reply]
NP
One of my staff whipped together to get a count by IP address, it’s slightly flawed (we’re okay at shell commands but not masters) but effective.
sudo last -f /var/log/btmp | sed ‘s/^[A-Za-z0-9]* *[A-Za-z:]* *\([A-Za-z0-9\.]*\) .*$/\1/’|sort|uniq -c|sort -k 1,1 -r
[Reply]
alex Reply:
April 5th, 2011 at 11:12 AM
Hello jalama,
Cool. I checked it out and it worked without issue. Anyone else using the above command from jalama you may need to change the quotes as they show up different sometimes when displayed in a browser.
Thanks again for providing!
Thanks.
alex
[Reply]
I used the following
last -f btmp | awk ‘{print $3}’ | sort | uniq -c | sort -n
Just a little cleaner since the output of last is fixed.
[Reply]
alex Reply:
May 30th, 2011 at 2:06 PM
Hello Ryan,
Thanks for taking the time to share!
Thanks.
alex
[Reply]
Hi Alex, my server gets attacked on a regular basis. Once a week the server falls over and the BMTP file goes in to the Gigabyte range ;-(
Thanks to this I have got it rotated.
I’m so green when it comes to Linux.
I know I have IP Tables installed so next step is to learn it. Is there a quick and dirty tutorial? I simply want to turn it on, add some of these IP address and sigh with relief.
I have a virtual server with a Plesk control panel.
Thanks for setting this page up.
Graham
[Reply]
alex Reply:
August 10th, 2011 at 1:38 PM
Hello Graham,
To minimize the traffic to the SSH port you could simply change the port that SSH is listening on. This will minimize brute force attempts and cut the size of the log files. As for iptables I am not sure of a tutorial right off though I am sure they are out there. Just make sure when implemented that you test every portion of your server that needs to be accessed remotely as it is easy to accidently shutdown a needed service without realizing it.
Thanks.
alex
[Reply]
Graham Reply:
August 11th, 2011 at 5:08 AM
Hi Alex. Thanks for replying
If I did this is there any potential of locking myself out of the server?
I use putty to access the server so is all I have to do is change the port on the server and in putty?
Will anything else be affected by this port change?
Thanks,
Graham
[Reply]
Graham Reply:
August 11th, 2011 at 7:14 AM
For instance I also use WinSCP (SFPT client) Would this be affected?
Also, it appears there are 2 ways to change the port.
1) Edit the file /etc/ssh/sshd_config and chaneg the line “#Port 22″ to what ever Port I desire
2) Create a file in /etc/xinetd.d/sshd and populate with following…
service ssh
{
disable = no
socket_type = stream
type = UNLISTED
port = 22
protocol = tcp
wait = no
user = root
server = /usr/sbin/sshd
server_args = -i
}
Sorry I’m so new to Linux.
Which one would be best and would restarting the server after implementing one of these methods be enough to initialize the new port number?
Thanks for your help.
Graham
[Reply]
Graham Reply:
August 18th, 2011 at 9:01 AM
OK I did it. and it worked….
I edited file /etc/ssh/sshd_config and changed the port number and restarted the server.
Bingo.
Hopefully no more brute force attacks.
[Reply]
alex Reply:
August 26th, 2011 at 6:51 PM
Hello Graham,
Good to hear! Thanks for taking the time to follow up and let us know it was successful.
Thanks.
alex
Anders Reply:
January 21st, 2012 at 1:26 PM
Don’t reboot since if anything is wrong you might not be able to get in again, just restart sshd and try it out by setting up a new session while still keeping your old session.
/etc/init.d/sshd reload
–
I wrote this one line script a long time ago, called firewall
/sbin/iptables -A INPUT -p tcp -s $1 -j REJECT –reject-with tcp-reset
so I run it like this – quick and easy
firewall 218.25.54.20
I rarely use it now, because I use CPANEL brute force protection that does it automatically.
But that IP up there has tried to connect 41,000 times since the log rolled over, so he’s permanently blocked now.
[Reply]
Use fail2ban to automatically add bad ssh clients to your IPTables. Highly configurable and purges old entries automatically.
I also run denyhosts to proactively block bad clients on the internet. Uses a centralized list that you can upload your contribution to improve. It uses /etc/hosts.deny instead of IPTables.
Belt and suspenders.
[Reply]
alex Reply:
March 9th, 2012 at 4:30 PM
Hello LinuxNinja,
Did you used to hang out on Dalnet in #linuxpeople? If so this is dakykilla from back then…
Thanks.
alex
[Reply]