How to configure lastb?

This is apparently a long standing problem across all Linux distros for some time now, and various posted solutions may be distro and version specific.

Am hoping that someone can post a solution that should work for OpenSuSE, and if necessary for each currently supported version.

What is lastb?
lastb is the “bad logon” corollary to the working “last” that reads successful logons to the file /var/log/wtmp. At the moment I haven’t checked but the OpenSuSE Forum post I listed below suggests that failed ssh logons may be logged to btmp, but no local terminal failures are and it’s unclear if any other types of failed logons are supported.

Some relevant links I’ve found
The only relevant OpenSuSE Forums post I’ve found
The only relevant Novell Forums post I’ve found
A RH List post

What I’ve tried
Have created /var/log/btmp and /var/log/ftmp files and applied permissions copying from the wtmp file as described in the Novell Forum post and verified permissions are applied. On my machine (11.3), the wtmp default group permission is “tty.”

Then, after verifying that lastb can find and read the btmp and ftmp files, from a console executed failed “su root” commands (wrong password) to try to generate a failed logon entry which I expect should be logged into either btmp or ftmp.

Result is that nothing is written to either btmp or ftmp. According to many references on the Internet, typically ( :slight_smile: ) systems should be automatically configured to write at least some bad logon types to either btmp or ftmp when the files exist.

TIA,
Tony

That is strange…

I always do it like the manpage of “last” says to do it…a simple touch.
And I change the rights to 600, and thats it.
lastb shows me the failed logins trys on my machine.

cd /var/log
sudo touch btmp
sudo chmod 600 btmp

And this works for me on openSuse 11.3, SLES10, SLES11 (SP1 and SP3), on HP-UX 11.11 and above…:slight_smile:

Wish I had your magic “Touch” !

I just re-ran the commands against both my btmp and ftmp, then re-ran the test procedure described in my original post without any change in result.

Are you sure your logon failures are from a local terminal and not a remote logon, esp ssh (which likely works)?

Tony

Just for clarification, here is the CLI output,

After creating the btmp and ftmp files as root and setting permissions, the following

SuSEBOX:/home/tony # cd /var/log
SuSEBOX:/var/log # touch btmp
SuSEBOX:/var/log # touch ftmp
SuSEBOX:/var/log # chmod 600 btmp                                                        
SuSEBOX:/var/log # chmod 600 ftmp                                                        
SuSEBOX:/var/log # su tony                                                               
tony@SuSEBOX:/var/log> su root                                                           
Password:                                                                               
su: incorrect password                                                                  
tony@SuSEBOX:/var/log> su                                                                
Password:                                                                               
SuSEBOX:/var/log # lastb                                                                 
                                                                                        
btmp begins Wed Nov  3 12:36:30 2010                                                    
SuSEBOX:/var/log # lastb -f /var/log/ftmp                                                
                                                                                        
ftmp begins Wed Nov  3 12:36:37 2010   EBOX:/var/log # lastb                                                                 
                                                                                        
btmp begins Wed Nov  3 12:36:30 2010                                                    
SuSEBOX:/var/log # lastb -f /var/log/ftmp                                                
                                                                                        
ftmp begins Wed Nov  3 12:36:37 2010   

On 2010-11-03 21:36, tsu2 wrote:
>
> Just for clarification, here is the CLI output,

> SuSEBOX:/var/log # su tony
> tony@SuSEBOX:/var/log> su root

These do not “login”.

Hint: man su, first option.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

Still no joy,

tony@SuSEBOX:/root> su -l root
Password: 
su: incorrect password
tony@SuSEBOX:/root> sudo lastb
root's password:

btmp begins Wed Nov  3 12:36:30 2010
tony@SuSEBOX:/root>

Also, judging from the output of last and assuming (yeah) that lastb output should report the failures of similar actions that are logged in wtmp, the “-l” option should not be necessary.

Tony

Just an update to my research on this topic…

Although it looks like lastb may be largely deprecated,
Failed Console logins (at least) are still logged to every disto syslog, in the case of OpenSuSE that would be

/var/log/message

So, for instance you can extract all failed console logins by using the following

grep FAILED /var/log/message

Unfortunately the actual entries don’t contain much info(like what the bad password was, what interface was used)… The investigation continues…

Tony