/var/log/btmp may be using up a lot of space in your
When I was looking around the
/var on my Fedora Core 5 scratch
machine to see where all the disk space was being used as part of
the last entry, I was startled to discover
/var/log/btmp was a 100M file (and by far the largest thing in
/var/log). This was a surprise to me, because I had never heard of the
It turns out that
btmp is used to record bad logins (some of you
are already wincing), just like
/var/log/wtmp records good ones. My
scratch machine is on the Internet, with an unscreened SSH daemon,
and thus just like everyone else sees a constant flux of brute
force ssh login attempts. Nothing seems to age
/var/log/btmp, so it has been busily accumulating a pile of entries
every day since the machine was first brought up on April 28th.
(If you are curious, the
lastb command will read and dump the file.
Or you can just use '
last -f /var/log/btmp'. You'll want to pipe it
through the pager of your choice.)
Somewhat to my displeasure,
btmp records even login attempts to
nonexistent user names. Logging nonexistent usernames is a moderate
security exposure, because people do occasionally accidentally enter
their password as their username; if you log unknown user names, you're
sooner or later going to have a plaintext log of someone's password.
/var/log/btmp will apparently shut the whole thing down.
In this day and age, I suspect that there's no particular point in
logging bad logins on any machine on the Internet, unless you are
interested in generating some statistics; the noise is likely to
overwhelm any possible signal.