How to Read /var/log/btmp, Rotate the btmp Log With Logrotate

How to Read /var/log/btmp, Rotate the btmp Log With Logrotate

The btmp log keeps track of failed login attempts. I have seen on a default linux setup with logrotate configured where the btmp log is left out of rotation and eventually grows out of hand. So first you want to make sure that the btmp log is rotated using logrotate with the below information.
Log Location:/var/log/btmp, /var/log/wtmp To rotate the btmp log add the below to the logrotate.conf file located in the /etc directory. 

Addition to logrotate.conf for btmp:

/var/log/btmp {
monthly
minsize 1M
create 0600 root utmp
rotate 1
}

You can change the amount of archived files you keep by modifying the number after rotate. Make sure that the “create 0600 root utmp” statement is in this configuration as the btmp file can be used by crackers to gain access to your server. One of the more common mistakes when logging into a server is typing the password instead of the username so crackers could possibly gain access by reading the btmp log file.
If you want to read the list of failed login attempts to look for patterns to help make your server more secure then use the command below.
How to Read btmp Log:

last -f /var/log/btmp

This will provide an output like the below.

Example btmp Entries:

test2 ssh:notty 202.69.197.99 Sun Sep 20 16:45 – 16:45 unsecured cash loan (00:00)
test2 ssh:notty 202.69.197.99 Sun Sep 20 16:45 – 16:45 (00:00)
test1 ssh:notty 202.69.197.99 unsecured bad credit installment loans Sun Sep 20 16:45 – 16:45 (00:00)
test1 ssh:notty 202.69.197.99 Sun Sep 20 16:45 – 16:45 (00:00)
test ssh:notty 202.69.197.99 Sun Sep 20 16:45 – 16:45 (00:00)

to keep the file there and clear its contents.

echo “” > /var/log/btmp

 

or simply just use lastb

lastb

Then spice barclays bridging loan it up a little bit …

Show the top 10 IPs with failed logins (first column is failed # of tries, then 2nd column is the IP)
lastb lilly cialis | awk '{print $3}' | sort | uniq housing loan comparison -c | sort -rn | head -10

Show the top 10 usernames with failed logins
lastb | awk '{print $1}' | sort | uniq -c | sort -rn | head -10