System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

wtmps and btmps growing too fast - how to disable it or filter messages

SOLVED
Go to solution
Mahesh Alexander
Frequent Advisor

wtmps and btmps growing too fast - how to disable it or filter messages

Hi all,

Our wtmps and btmps files are increasing too fast and all the time we are purging those with (cat /dev/null > wtmps).

Can we somehow configure or choose what kind of messages are saved here or eliminate all FTP sessions to be logged in these files?

Thank you.
3 REPLIES
Steven E. Protter
Exalted Contributor
Solution

Re: wtmps and btmps growing too fast - how to disable it or filter messages

Shalom,

Don't disable it. I once failed a security audit with that trick.

Write a simple script and run it periodically with cron.

cp /var/adm/syslog/btmp /nfs/btmp
> /var/adm/syslog/btmp

Same thing for wtmp.

Modify the script to give unique names.

You want to keep 90 days worth of these files around, perhaps more depending on your SOX requirements.

SEP
hpuxconulting in yahoo messenger. Ping me.
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Dennis Handly
Acclaimed Contributor

Re: wtmps and btmps growing too fast - how to disable it or filter messages

>Our wtmps and btmps files are increasing

Did you really mean it when you said btmps? If this is the case, you have more problems than just disk space.
Bill Hassell
Honored Contributor

Re: wtmps and btmps growing too fast - how to disable it or filter messages

btmps is a log of failed login attempts. If it is growing rapidly, you have a very serious problem. Someone or some system is trying to login and is constantly failing. This may be a stupid process on another system that does not report the failed login attmpet or it may be a hacker's laptop over in the corner that is trying millions of passwords to gain access.

If there is a system that is clobbering your ftp server with bad logins, use /var/adm/inetd.sec to deny any access by the bad system.


Bill Hassell, sysadmin