Why /var/log/btmp may be using up a lot of space in your /var

September 18, 2006

When I was looking around the /var on my Fedora Core 5 scratch machine to see where all the disk space was being used as part of the last entry, I was startled to discover that /var/log/btmp was a 100M file (and by far the largest thing in /var/log). This was a surprise to me, because I had never heard of the file before.

It turns out that btmp is used to record bad logins (some of you are already wincing), just like /var/log/wtmp records good ones. My scratch machine is on the Internet, with an unscreened SSH daemon, and thus just like everyone else sees a constant flux of brute force ssh login attempts. Nothing seems to age /var/log/btmp, so it has been busily accumulating a pile of entries every day since the machine was first brought up on April 28th.

(If you are curious, the lastb command will read and dump the file. Or you can just use 'last -f /var/log/btmp'. You'll want to pipe it through the pager of your choice.)

Somewhat to my displeasure, btmp records even login attempts to nonexistent user names. Logging nonexistent usernames is a moderate security exposure, because people do occasionally accidentally enter their password as their username; if you log unknown user names, you're sooner or later going to have a plaintext log of someone's password.

Removing /var/log/btmp will apparently shut the whole thing down. In this day and age, I suspect that there's no particular point in logging bad logins on any machine on the Internet, unless you are interested in generating some statistics; the noise is likely to overwhelm any possible signal.

Written on 18 September 2006.
« My current view of Linux system filesystem sizes
One of the reasons I dislike SELinux »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Sep 18 14:49:15 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.