When I was looking around the /var on my Fedora Core 5 scratch machine to see where all the disk space was being used as part of the last entry, I was startled to discover that /var/log/btmp was a 100M file (and by far the largest thing in /var/log). This was a surprise to me, because I had never heard of the file before.

It turns out that btmp is used to record bad logins (some of you are already wincing), just like /var/log/wtmp records good ones. My scratch machine is on the Internet, with an unscreened SSH daemon, and thus just like everyone else sees a constant flux of brute force ssh login attempts. Nothing seems to age /var/log/btmp, so it has been busily accumulating a pile of entries every day since the machine was first brought up on April 28th.

(If you are curious, the lastb command will read and dump the file. Or you can just use 'last -f /var/log/btmp'. You'll want to pipe it through the pager of your choice.)

Somewhat to my displeasure, btmp records even login attempts to nonexistent user names. Logging nonexistent usernames is a moderate security exposure, because people do occasionally accidentally enter their password as their username; if you log unknown user names, you're sooner or later going to have a plaintext log of someone's password.

Removing /var/log/btmp will apparently shut the whole thing down. In this day and age, I suspect that there's no particular point in logging bad logins on any machine on the Internet, unless you are interested in generating some statistics; the noise is likely to overwhelm any possible signal.