jump to navigation

How to Clear and Delete Last Logged In Users and Bad Login Attemps Log (wtmp and btmp) December 28, 2010

Posted by Tournas Dimitrios in Linux.

In Linux and Unix operating system, it’s possible to use “last” command to display and show the last logged in (and out) users history, and “lastb” command to show and display all the bad login attempts. The users’ login history is been logged and saved in wtmp file while faild login attempts is been stored in btmp file, both files usually located in /var/log directory.

The logging of information into wtmp and btmp is continuous, and can potentially make the wtmp and btmp files grow very to a very big size. The situation is especially true to btmp, which logs failed or bad login attemps to the system, if the administrator does not disable FTP or SSH password authentication, and the server is been attacked via brute-force breaking in attempts, where any wrong user name or incorrect password been logged to btmp.

In addition, administrator may also want to clear and erase the history of login history once in a while. Or, system that running low or almost running out of disk space on /var may want to purge and delete the wtmp and btmp to reclaim and save some disk space.

In any case, the proper way to clear and reset wtmp and btmp files is by piping a blank input to the file, overwriting and replace all existing content. The command that can be used has the syntax like below:

cat /dev/null > /var/log/wtmp

or, on some system, simply like below:

> /var/log/wtmp

Note: Change the path and file name (i.e. btmp) accordingly.

Above commands will remove, clear and empty the content of the btmp or wtmp files, allowing new information to be started logging afresh again. The file is not been deleted or erased, and is leaved intact, as the btmp and wtmp files will not be recreated when not found. The system only logs information into these files if they are present.

Tip: For people who has already deleted the wtmp and btmp files, just re-create the file by touch command, and assign a proper permissions to the file (-rw-rw-r– root utmp or -rw—— root utmp btmp), or else “Excess permission or bad ownership on file /var/log/btmp or /var/log/wtmp” may occur.

Note that there may be files named as wtmp.1, wtmp.2 wtmp.3, wtmp.4, btmp.1, btmp.2, btmp.3, btmp.4, which are the backup archives, and can be safely removed or deleted.

Logrotating the wtmp file :

Althrough by defauld the /var/log/wtmp file will be reset each month , it can be configured to maintain his information for more than one month . This can be configured through the logrotate.conf file . To rotate the btmp log add the below to the logrotate.conf file located in the /etc directory.

Addition to logrotate.conf for btmp:

/var/log/btmp {
minsize 1M
create 0600 root utmp
rotate 4

You can change the amount of archived files you keep by modifying the number after rotate. Make sure that the “create 0600 root utmp” statement is in this configuration as the btmp file can be used by crackers to gain access to your server. One of the more common mistakes when logging into a server is typing the password instead of the username so crackers could possibly gain access by reading the btmp log file.

If you want to read the list of failed login attempts to look for patterns to help make your server more secure then use the command below.

How to Read btmp Log:

last -f /var/log/btmp



1. mayur - March 26, 2014

how to delete single line from wtmp

tournasdimitrios1 - March 26, 2014

As you might imagine, these files aren’t writable by ordinary users (these belongs to root:utmp). Traditionally, the getty was responsible for maintaining wtmp|btmp, but these days , these files are PAM protected by means of /lib/security/pam_lastlog.so (which also maintains a whole range of of other files ) . The /etc/pam.d/ directory contains the PAM configuration files for each PAM-aware application . Each PAM-aware application or service has a file in the /etc/pam.d/ directory). Each file in this directory has the same name as the service to which it controls access.
Haven’t done this , but technically speaking , you can go to /etc/pam.d and comment out the pam_lastlog.so line from wherever it appears in there , as appropriate .

Of course, if you’re the computer’s superuser, you can also replace last and lastlog with a wrapper script that does something like “last.orig | fgrep -v some_user” . But that’s another story and out of the scope of this article .
Thanks for your visit and comment .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s