How to Clear and Delete Last Logged In Users and Bad Login Attemps Log (wtmp and btmp)

In Linux and Unix operating system, it’s possible to use “last” command to display and show the last logged in (and out) users history, and “lastb” command to show and display all the bad login attempts. The users’ login history is been logged and saved in wtmp file while faild login attempts is been stored in btmp file, both files usually located in /var/log directory.

The logging of information into wtmp and btmp is continuous, and can potentially make the wtmp and btmp files grow very to a very big size. The situation is especially true to btmp, which logs failed or bad login attemps to the system, if the administrator does not disable FTP or SSH password authentication, and the server is been attacked via brute-force breaking in attempts, where any wrong user name or incorrect password been logged to btmp.

In addition, administrator may also want to clear and erase the history of login history once in a while. Or, system that running low or almost running out of disk space on /var may want to purge and delete the wtmp and btmp to reclaim and save some disk space.

In any case, the proper way to clear and reset wtmp and btmp files is by piping a blank input to the file, overwriting and replace all existing content. The command that can be used has the syntax like below:

cat /dev/null > /var/log/wtmp

or, on some system, simply like below:

> /var/log/wtmp

Note: Change the path and file name (i.e. btmp) accordingly.

Above commands will remove, clear and empty the content of the btmp or wtmp files, allowing new information to be started logging afresh again. The file is not been deleted or erased, and is leaved intact, as the btmp and wtmp files will not be recreated when not found. The system only logs information into these files if they are present.

Tip: For people who has already deleted the wtmp and btmp files, just re-create the file by touch command, and assign a proper permissions to the file (-rw-rw-r– root utmp or -rw—— root utmp btmp), or else “Excess permission or bad ownership on file /var/log/btmp or /var/log/wtmp” may occur.

Note that there may be files named as wtmp.1, wtmp.2 wtmp.3, wtmp.4, btmp.1, btmp.2, btmp.3, btmp.4, which are the backup archives, and can be safely removed or deleted.

Logrotating the wtmp file :

Althrough by defauld the /var/log/wtmp file will be reset each month , it can be configured to maintain his information for more than one month . This can be configured through the logrotate.conf file . To rotate the btmp log add the below to the logrotate.conf file located in the /etc directory.

Addition to logrotate.conf for btmp:

/var/log/btmp {
monthly
minsize 1M
create 0600 root utmp
rotate 4
}

You can change the amount of archived files you keep by modifying the number after rotate. Make sure that the “create 0600 root utmp” statement is in this configuration as the btmp file can be used by crackers to gain access to your server. One of the more common mistakes when logging into a server is typing the password instead of the username so crackers could possibly gain access by reading the btmp log file.

If you want to read the list of failed login attempts to look for patterns to help make your server more secure then use the command below.

How to Read btmp Log:

last -f /var/log/btmp