HPE Community
Operating System - HP-UX
1827056 Members
4577 Online
109713 Solutions
New Discussion

wtmps and btmps growing too fast - how to disable it or filter messages

 
SOLVED
Go to solution
Mahesh Alexander
Frequent Advisor

‎09-01-2009 01:54 AM

‎09-01-2009 01:54 AM

wtmps and btmps growing too fast - how to disable it or filter messages

Hi all,

Our wtmps and btmps files are increasing too fast and all the time we are purging those with (cat /dev/null > wtmps).

Can we somehow configure or choose what kind of messages are saved here or eliminate all FTP sessions to be logged in these files?

Thank you.
0 Kudos
Reply
3 REPLIES 3
Steven E. Protter
Exalted Contributor

‎09-01-2009 02:02 AM

‎09-01-2009 02:02 AM

Solution

Re: wtmps and btmps growing too fast - how to disable it or filter messages

Shalom,

Don't disable it. I once failed a security audit with that trick.

Write a simple script and run it periodically with cron.

cp /var/adm/syslog/btmp /nfs/btmp
> /var/adm/syslog/btmp

Same thing for wtmp.

Modify the script to give unique names.

You want to keep 90 days worth of these files around, perhaps more depending on your SOX requirements.

SEP
hpuxconulting in yahoo messenger. Ping me.
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Dennis Handly
Acclaimed Contributor

‎09-01-2009 11:31 AM

‎09-01-2009 11:31 AM

Re: wtmps and btmps growing too fast - how to disable it or filter messages

>Our wtmps and btmps files are increasing

Did you really mean it when you said btmps? If this is the case, you have more problems than just disk space.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎09-01-2009 07:37 PM

‎09-01-2009 07:37 PM

Re: wtmps and btmps growing too fast - how to disable it or filter messages

btmps is a log of failed login attempts. If it is growing rapidly, you have a very serious problem. Someone or some system is trying to login and is constantly failing. This may be a stupid process on another system that does not report the failed login attmpet or it may be a hacker's laptop over in the corner that is trying millions of passwords to gain access.

If there is a system that is clobbering your ftp server with bad logins, use /var/adm/inetd.sec to deny any access by the bad system.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.