The btmp log keeps track of failed login attempts. I have seen on a default linux setup with logrotate configured where the btmp log is left out of rotation and eventually grows out of hand. So first you want to make sure that the btmp log is rotated using logrotate with the below information.

Log Location:/var/log/btmp, /var/log/wtmp

To rotate the btmp log add the below to the logrotate.conf file located in the /etc directory. 


Addition to logrotate.conf for btmp:

/var/log/btmp {
monthly
minsize 1M
create 0600 root utmp
rotate 1
}

You can change the amount of archived files you keep by modifying the number after rotate. Make sure that the “create 0600 root utmp” statement is in this configuration as the btmp file can be used by crackers to gain access to your server. One of the more common mistakes when logging into a server is typing the password instead of the username so crackers could possibly gain access by reading the btmp log file.

If you want to read the list of failed login attempts to look for patterns to help make your server more secure then use the command below.

How to Read btmp Log:

This will provide an output like the below.

Example btmp Entries:

stive ssh:notty 133.130.202.148 Thu Jul 5 06:02 – 06:02 (00:00)
evo ssh:notty 133.130.202.148 Thu Jul 5 06:01 – 06:02 (00:00)
admin ssh:notty 133.130.202.148 Thu Jul 5 06:01 – 06:01 (00:00)
evren ssh:notty 133.130.202.148 Thu Jul 2506:01 – 06:01 (00:00)
usta ssh:notty 133.130.202.148 Thu Jul 5 06:01 – 06:01 (00:00)
sakki ssh:notty 133.130.202.148 Thu Jul 5 06:01 – 06:01 (00:00)
user ssh:notty 133.130.202.148 Thu Jul 5 06:01 – 06:01 (00:00)
kanis ssh:notty 133.130.202.148 Thu Jul 5 06:01 – 06:01 (00:00)
As you can see the 133.130.202.148 address is running some type of brute force against this server in an attempt to gain access. Now you could add this IP address to your iptables or other firewall to defend against such an attack.