== Why _/var/log/btmp_ may be using up a lot of space in your _/var_

When I was looking around the _/var_ on my Fedora Core 5 scratch
machine to see where all the disk space was being used as part of
[[the last entry SystemFilesystemSizes]], I was startled to discover
that _/var/log/btmp_ was a 100M file (and by far the largest thing in
_/var/log_). This was a surprise to me, because I had never heard of the
file before.

It turns out that _btmp_ is used to record bad logins (some of you
are already wincing), just like _/var/log/wtmp_ records good ones. My
scratch machine is on the Internet, with an unscreened SSH daemon,
and thus just like everyone else sees a constant flux of [[brute
force ssh login attempts StoppingSshScanning]]. Nothing seems to age
_/var/log/btmp_, so it has been busily accumulating a pile of entries
every day since the machine was first brought up on April 28th.

(If you are curious, the _lastb_ command will read and dump the file.
Or you can just use '_last -f /var/log/btmp_'. You'll want to pipe it
through the pager of your choice.)

Somewhat to my displeasure, _btmp_ records even login attempts to
nonexistent user names. Logging nonexistent usernames is a moderate
security exposure, because people do occasionally accidentally enter
their password as their username; if you log unknown user names, you're
sooner or later going to have a plaintext log of someone's password.

Removing _/var/log/btmp_ will apparently shut the whole thing down.
In this day and age, I suspect that there's no particular point in
logging bad logins on any machine on the Internet, unless you are
interested in generating some statistics; the noise is likely to
overwhelm any possible signal.