The btmp log keeps track of failed login attempts. I have seen on a default linux setup with logrotate configured where the btmp log is left out of rotation and eventually grows out of hand. So first you want to make sure that the btmp log is rotated using logrotate with the below information.
Log Location:/var/log/btmp
To rotate the btmp log add the below to the logrotate.conf file located in the /etc directory.
Addition to logrotate.conf for btmp:
- /var/log/btmp {
- monthly
- minsize 1M
- create 0600 root utmp
- rotate 1
- }
You can change the amount of archived files you keep by modifying the number after rotate. Make sure that the “create 0600 root utmp” statement is in this configuration as the btmp file can be used by crackers to gain access to your server. One of the more common mistakes when logging into a server is typing the password instead of the username so crackers could possibly gain access by reading the btmp log file.
If you want to read the list of failed login attempts to look for patterns to help make your server more secure then use the command below.
How to Read btmp Log:
- last -f /var/log/btmp
This will provide an output like the below.
Example btmp Entries:
- berrie ssh:notty 121.130.202.148 Thu Jul 2 06:02 - 06:02 (00:00)
- berrie ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:02 (00:00)
- berri ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- berri ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- berni ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- berni ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- brenice ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- brenice ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- berni ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- berni ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernhard ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernhard ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernardo ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernardo ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernardi ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernardi ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernard ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernard ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernadin ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernadin ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernadin ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernadin ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernadet ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernadet ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernaden ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- bernaden ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- berna ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- berna ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
- berget ssh:notty 121.130.202.148 Thu Jul 2 06:01 - 06:01 (00:00)
As you can see the 121.130.202.148 address is running some type of brute force against this server in an attempt to gain access. Now you could add this IP address to your iptables or other firewall to defend against such an attack.
A Practical Guide to Ubuntu Linux (Versions 8.10 and 8.04) (2nd Edition) (Paperback)
|
||||||||
Hardening Linux (Paperback)
|
||||||||
Thanks. my btmp has filled up my server.
Need to do some emergency delete of that file.
* Is it ok just to delete it?
I suspect not.
if not is there a linux command that says:
# “empty files contents but do not delete it”
Also would be handy to be able to simply block access from the ip that is doing the attempts. i feel like a sitting duck watching the same ip trying each variation of paswords on my mail accounts.
Can i set something somewhere that says “If IP address xyz attempts to connect in anyway to this machine …say no”
Hello anon,
You can set it up to rotate the file, then run logrotate immediately, and then delete the rotated file. I would suggest rotating it out first and then deleting the rotated file.
Hope that helps.
Thanks.
alex
Noticed the same thing on my server, looks like contents are not so clear though. Wonder what the differences between btmp and secure are.
@anon, you can probably do an:
echo “” > /var/log/btmp
to keep the file there and clear the contents.
Blocking brute force IPs is probably a good idea, there is a nice python deamon that automatically does this, parsing from /var/log/secure, called denyhosts.
Hello Justin,
Great. Thanks for the extra info.
Thanks.
alex
Great article, very informative.
Thank You
Hello Aditya,
No problem. Thanks for taking the time to leave feedback.
Thanks.
alex
just a note you can also use the lastb command in lieu of last, which assumes the btmp log file
so
lastb
is the equivalent to
last -f /var/log/btmp
Hello jalama,
Thanks for taking the time to note that!
Thanks.
alex
NP
One of my staff whipped together to get a count by IP address, it’s slightly flawed (we’re okay at shell commands but not masters) but effective.
sudo last -f /var/log/btmp | sed ‘s/^[A-Za-z0-9]* *[A-Za-z:]* *\([A-Za-z0-9\.]*\) .*$/\1/’|sort|uniq -c|sort -k 1,1 -r
Hello jalama,
Cool. I checked it out and it worked without issue. Anyone else using the above command from jalama you may need to change the quotes as they show up different sometimes when displayed in a browser.
Thanks again for providing!
Thanks.
alex
I used the following
last -f btmp | awk ‘{print $3}’ | sort | uniq -c | sort -n
Just a little cleaner since the output of last is fixed.
Hello Ryan,
Thanks for taking the time to share!
Thanks.
alex
Hi Alex, my server gets attacked on a regular basis. Once a week the server falls over and the BMTP file goes in to the Gigabyte range ;-(
Thanks to this I have got it rotated.
I’m so green when it comes to Linux.
I know I have IP Tables installed so next step is to learn it. Is there a quick and dirty tutorial? I simply want to turn it on, add some of these IP address and sigh with relief.
I have a virtual server with a Plesk control panel.
Thanks for setting this page up.
Graham
Hello Graham,
To minimize the traffic to the SSH port you could simply change the port that SSH is listening on. This will minimize brute force attempts and cut the size of the log files. As for iptables I am not sure of a tutorial right off though I am sure they are out there. Just make sure when implemented that you test every portion of your server that needs to be accessed remotely as it is easy to accidently shutdown a needed service without realizing it.
Thanks.
alex
Hi Alex. Thanks for replying
If I did this is there any potential of locking myself out of the server?
I use putty to access the server so is all I have to do is change the port on the server and in putty?
Will anything else be affected by this port change?
Thanks,
Graham
For instance I also use WinSCP (SFPT client) Would this be affected?
Also, it appears there are 2 ways to change the port.
1) Edit the file /etc/ssh/sshd_config and chaneg the line “#Port 22” to what ever Port I desire
2) Create a file in /etc/xinetd.d/sshd and populate with following…
service ssh
{
disable = no
socket_type = stream
type = UNLISTED
port = 22
protocol = tcp
wait = no
user = root
server = /usr/sbin/sshd
server_args = -i
}
Sorry I’m so new to Linux.
Which one would be best and would restarting the server after implementing one of these methods be enough to initialize the new port number?
Thanks for your help.
Graham
OK I did it. and it worked….
I edited file /etc/ssh/sshd_config and changed the port number and restarted the server.
Bingo.
Hopefully no more brute force attacks.
Hello Graham,
Good to hear! Thanks for taking the time to follow up and let us know it was successful.
Thanks.
alex
Don’t reboot since if anything is wrong you might not be able to get in again, just restart sshd and try it out by setting up a new session while still keeping your old session.
/etc/init.d/sshd reload
—
I wrote this one line script a long time ago, called firewall
/sbin/iptables -A INPUT -p tcp -s $1 -j REJECT –reject-with tcp-reset
so I run it like this – quick and easy
firewall 218.25.XXX.20
I rarely use it now, because I use CPANEL brute force protection that does it automatically.
But that IP up there has tried to connect 41,000 times since the log rolled over, so he’s permanently blocked now.
Hello Alan,
Good deal, thanks for taking the time to share.
Thanks.
alex
Use fail2ban to automatically add bad ssh clients to your IPTables. Highly configurable and purges old entries automatically.
I also run denyhosts to proactively block bad clients on the internet. Uses a centralized list that you can upload your contribution to improve. It uses /etc/hosts.deny instead of IPTables.
Belt and suspenders.
Hello LinuxNinja,
Did you used to hang out on Dalnet in #linuxpeople? If so this is dakykilla from back then…
Thanks.
alex
I’m interested what Alan’s line of code does. (couple of posts above)
Can any one explain what this line does?
/sbin/iptables -A INPUT -p tcp -s $1 -j REJECT –reject-with tcp-reset
hi Karel, Alan’s line is just an easy script to add an IP address that he wishes to block to the Input chain of iptables. (so you need iptables running). so, with it, the ip address used with the script will have all of it’s traffic rejected.
Amazing stuff…helped me in my semester exam’s preperation. Thanks!!