After discovering a 6GB /var/log/btmp file accumulating over 3 years, it's clear this is a common symptom of SSH brute force attacks. While securing sshd (e.g., changing ports, fail2ban) reduces future entries, the existing bloated binary log requires technical handling.
The proper approach involves using logrotate or direct truncation while maintaining file integrity:
# Method 1: Using logrotate (recommended for ongoing management)
# Create /etc/logrotate.d/btmp with:
/var/log/btmp {
monthly
rotate 1
missingok
notifempty
create 0600 root utmp
compress
}For immediate cleanup while preserving recent data:
# Method 2: Manual rotation
sudo mv /var/log/btmp /var/log/btmp.old
sudo touch /var/log/btmp
sudo chmod 600 /var/log/btmp
sudo chown root:utmp /var/log/btmp
# Optional: Keep last 30 days data using lastb
lastb --time-format iso -s 30days > last_month_attempts.txtAfter rotation, verify functionality:
sudo lastb | head -10 # Should show recent attempts
ls -lh /var/log/btmp* # Check new file sizeFor persistent monitoring, consider these additions to /etc/ssh/sshd_config:
# Reduce logging of failed attempts
MaxAuthTries 3
LoginGraceTime 1m
PermitRootLogin noFor forensic analysis of old logs before rotation:
# Install utmpdump if needed
sudo apt install sysv-rc-conf # Debian/Ubuntu
sudo yum install sysvinit-tools # RHEL/CentOS
# Convert binary to readable format
utmpdump /var/log/btmp.old | grep -v "192.168.|10." > cleaned_attempts.logThe /var/log/btmp file is a binary log that records all failed login attempts on a Linux system. When this grows to 6GB (as in your case), it typically indicates:
- Prolonged brute-force attack attempts (common on internet-facing servers)
- Lack of proper log rotation configuration
- Accumulation over years without maintenance
Since btmp is a binary format (not plain text), we need specialized tools to handle it:
# Method 1: Using logrotate (recommended)
sudo nano /etc/logrotate.conf
Add this configuration:
/var/log/btmp {
monthly
rotate 6
compress
delaycompress
missingok
notifempty
create 0600 root utmp
}Then force immediate rotation:
sudo logrotate -vf /etc/logrotate.confFor immediate reduction without waiting for rotation:
# Option 1: Complete reset (empties file completely)
sudo cp /dev/null /var/log/btmp
# Option 2: Keep recent entries (last 30 days)
sudo lastb --since 30.days.ago > recent_failures.txt
sudo cp /dev/null /var/log/btmp
sudo lastb -f recent_failures.txt | sudo tee /var/log/btmp >/dev/nullTo prevent future log bloat:
# 1. Harden SSH (as you've done):
sudo nano /etc/ssh/sshd_config
# Change Port from 22
# Set PermitRootLogin no
# Use AllowUsers to restrict access
# 2. Install fail2ban:
sudo apt install fail2ban
sudo systemctl enable fail2banAfter cleaning, verify the new log size and set up monitoring:
ls -lh /var/log/btmp*
du -sh /var/log/btmp*Consider adding this to your monitoring system (Nagios, Zabbix, etc.):
#!/bin/bash
BTMP_SIZE=$(du -m /var/log/btmp | awk '{print $1}')
if [ "$BTMP_SIZE" -gt 100 ]; then
echo "CRITICAL: btmp log size $BTMP_SIZE MB"
exit 2
fi