On my 64-bit Debian systems, and my Ubuntu systems, as root, the command ‘lastb’ is returning nothing. Lastb should return all failed login attempts to STDOUT. In order to do so, it needs to read the /var/log/btmp file. Upon examination of this file, it is empty. This puzzles me, as I know that I have failed logins before, so this file should contain those attempts. I only discovered this, as a friend of mine running Red Hat Enterprise Server 5.1 was having the same problem. Steve Dibb has also noticed this on his Gentoo system. This is disconcerting, as it should be logging the failed attempts, both local and remote. Now, before we start coming up with solutions, let me tell you what I’ve attempted thus far:
First off, the file itself. If you run ‘lastb’ as root, and get an error that the file is missing, then create the file as root with the touch command. However, the file already exists on my system, and here are it’s permissions:
root@kratos:~# ls -l /var/log/btmp -rw-rw---- 1 root utmp 0 Dec 18 16:18 /var/log/btmp
I intentionally removed the read bit from the other mode set, as this file could be a potential haven for crackers to find mistyped usernames as passwords. Everything permission-wise looks in order. What further complicates the mystery, is /var/log/wtmp is logging successful attempts as it should be, and the ‘last’ command, when run as root, returns those results. Knowing that these files are logged by init tells me that utmp, the process that writes the files, is in fact working. Why it writes only the successful attempts and not the failed ones is where the mystery lies.
The /etc/login.defs file defines where we should log failed attempts:
root@kratos: ~# cat /etc/login.defs | grep btmp # last, when invoked as lastb, will read /var/log/btmp, so... FTMP_FILE /var/log/btmp
The FTMP_FILE is defined as /var/log/btmp in the login.defs file. So, the last thing that I can think of that is creating any issues whatsoever would be PAM. pam_tally.so is mentioned in /etc/login.defs, and it is the only file in /lib/securitty/ (pam_tally.so) that mentions /var/log/faillog. However, btmp is not mentioned.
So, I’m at a loss. I can’t for the life of me figure out why utmp is not logging to /var/log/btmp for failed login attempts. If anyone reading this has any ideas, I’m all ears.