Log Location:/var/log/btmp, /var/log/wtmp To rotate the btmp log add the below to the logrotate.conf file located in the /etc directory.
Addition to logrotate.conf for btmp:
create 0600 root utmp
You can change the amount of archived files you keep by modifying the number after rotate. Make sure that the “create 0600 root utmp” statement is in this configuration as the btmp file can be used by crackers to gain access to your server. One of the more common mistakes when logging into a server is typing the password instead of the username so crackers could possibly gain access by reading the btmp log file.
If you want to read the list of failed login attempts to look for patterns to help make your server more secure then use the command below.
How to Read btmp Log:
last -f /var/log/btmp
This will provide an output like the below.
Example btmp Entries:
test2 ssh:notty 126.96.36.199 Sun Sep 20 16:45 – 16:45 unsecured cash loan
test2 ssh:notty 188.8.131.52 Sun Sep 20 16:45 – 16:45 (00:00)
test1 ssh:notty 184.108.40.206 unsecured bad credit installment loans Sun Sep 20 16:45 – 16:45 (00:00)
test1 ssh:notty 220.127.116.11 Sun Sep 20 16:45 – 16:45 (00:00)
test ssh:notty 18.104.22.168 Sun Sep 20 16:45 – 16:45 (00:00)
to keep the file there and clear its contents.
echo “” > /var/log/btmp
or simply just use lastb
Then spice barclays bridging loan it up a little bit …
Show the top 10 IPs with failed logins (first column is failed # of tries, then 2nd column is the IP)
lastb lilly cialis
| sort | uniq housing loan comparison
-c | sort -rn | head -10
Show the top 10 usernames with failed logins
lastb | awk
| sort | uniq -c | sort -rn | head -10