This is apparently a long standing problem across all Linux distros for some time now, and various posted solutions may be distro and version specific.
Am hoping that someone can post a solution that should work for OpenSuSE, and if necessary for each currently supported version.
What is lastb?
lastb is the “bad logon” corollary to the working “last” that reads successful logons to the file /var/log/wtmp. At the moment I haven’t checked but the OpenSuSE Forum post I listed below suggests that failed ssh logons may be logged to btmp, but no local terminal failures are and it’s unclear if any other types of failed logons are supported.
What I’ve tried
Have created /var/log/btmp and /var/log/ftmp files and applied permissions copying from the wtmp file as described in the Novell Forum post and verified permissions are applied. On my machine (11.3), the wtmp default group permission is “tty.”
Then, after verifying that lastb can find and read the btmp and ftmp files, from a console executed failed “su root” commands (wrong password) to try to generate a failed logon entry which I expect should be logged into either btmp or ftmp.
Result is that nothing is written to either btmp or ftmp. According to many references on the Internet, typically ( ) systems should be automatically configured to write at least some bad logon types to either btmp or ftmp when the files exist.
I always do it like the manpage of “last” says to do it…a simple touch.
And I change the rights to 600, and thats it.
lastb shows me the failed logins trys on my machine.
cd /var/log
sudo touch btmp
sudo chmod 600 btmp
And this works for me on openSuse 11.3, SLES10, SLES11 (SP1 and SP3), on HP-UX 11.11 and above…
tony@SuSEBOX:/root> su -l root
Password:
su: incorrect password
tony@SuSEBOX:/root> sudo lastb
root's password:
btmp begins Wed Nov 3 12:36:30 2010
tony@SuSEBOX:/root>
Also, judging from the output of last and assuming (yeah) that lastb output should report the failures of similar actions that are logged in wtmp, the “-l” option should not be necessary.
Although it looks like lastb may be largely deprecated,
Failed Console logins (at least) are still logged to every disto syslog, in the case of OpenSuSE that would be
/var/log/message
So, for instance you can extract all failed console logins by using the following
grep FAILED /var/log/message
Unfortunately the actual entries don’t contain much info(like what the bad password was, what interface was used)… The investigation continues…