I know that /var/log/btmp is for failed login attempts. Typically having a file this large indicates brute force attempts. The 6GB is an accumulation over the past 3 years. I've taken steps to hide sshd so it is not accessible to anyone besides myself. These steps should drastically decrease the amount of log entires in this file.
The current entires up until this point is just noise - bots trying to brute force the server.
My question is, how do I safely empty this file, or trim it down to the last month? I know the format of this file isn't plain text, so I don't want to break the file (want to be able to review it later).
Check the contents of the file with
last -f /var/log/btmp
. If you have a bot problem, try changing the default sshd port from22
to something like2222
. You could also install DenyHosts as a way to temper the login attempts.Either way, you can safely truncate the file with
: > /var/log/btmp
.I'd suggest using logrotate for it. There is an example config here: http://www.question-defense.com/2009/07/03/how-to-read-varlogbtmp-rotate-the-btmp-log-with-logrotate