How to Manage and Rotate Large /var/log/btmp Files on Linux Servers


2 views

The /var/log/btmp file is a binary log file that records all failed login attempts on a Linux system. This includes:

  • Failed SSH login attempts
  • Failed console login attempts
  • Failed su/sudo attempts

When you see a 1.3GB btmp file, it typically indicates:

1. Your server is exposed to the internet
2. You're experiencing brute force attacks
3. Log rotation isn't properly configured

To view the contents (requires root):

# lastb -a | head -20
# lastb --limit 50
# wc -l /var/log/btmp  # Count failed attempts

You can safely delete or rotate the file:

# Rotate logs (preferred method)
sudo logrotate -f /etc/logrotate.conf

# Immediate cleanup (if needed)
sudo cp /dev/null /var/log/btmp
# Or
sudo truncate -s 0 /var/log/btmp

Edit /etc/logrotate.conf to add:

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
    compress
}
  • Install fail2ban: sudo apt install fail2ban
  • Configure SSH to use key authentication only
  • Change default SSH port

Create a cron job to monitor btmp growth:

#!/bin/bash
BTMP_SIZE=$(du -m /var/log/btmp | awk '{print $1}')
if [ $BTMP_SIZE -gt 500 ]; then
    echo "Warning: btmp size is ${BTMP_SIZE}MB" | mail -s "BTMP Alert" admin@example.com
fi

The /var/log/btmp file records all failed login attempts on your Linux system. When this file grows excessively large (like your 1.3GB case), it can:

  • Consume valuable disk space
  • Slow down authentication-related processes
  • Make log analysis more difficult

A rapidly growing btmp file often indicates:

# Check recent failed attempts
lastb -a | head -20

# Count failed attempts by IP
lastb | awk '{print $3}' | sort | uniq -c | sort -nr

This might reveal brute force attacks. Before cleaning the file, consider analyzing these patterns.

Method 1: Manual rotation (immediate solution)

# Stop syslog/services if needed
sudo systemctl stop syslog.socket rsyslog.service

# Rotate the file
sudo mv /var/log/btmp /var/log/btmp.old
sudo touch /var/log/btmp
sudo chmod 600 /var/log/btmp
sudo chown root:utmp /var/log/btmp

# Restart services
sudo systemctl start rsyslog.service

Method 2: Configure logrotate (permanent solution)

Create /etc/logrotate.d/btmp:

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
    compress
    delaycompress
}

For minimal downtime:

# Clear contents without deleting
sudo truncate -s 0 /var/log/btmp

Create a script to alert when btmp exceeds a threshold:

#!/bin/bash
MAX_SIZE=100000000 # 100MB
BTMP_SIZE=$(stat -c%s "/var/log/btmp")

if [ "$BTMP_SIZE" -gt "$MAX_SIZE" ]; then
    echo "Warning: /var/log/btmp is too large ($BTMP_SIZE bytes)" | mail -s "BTMP Alert" admin@example.com
    # Auto-rotate if desired
    /usr/sbin/logrotate -f /etc/logrotate.d/btmp
fi

Add to cron with crontab -e:

0 * * * * /path/to/btmp_monitor.sh

Address the root cause of excessive failed logins:

# Install fail2ban
sudo apt install fail2ban

# Configure basic SSH protection
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Set appropriate maxretry and bantime values for your SSH service.