The issue
Whenever a bad login attempt is made against the Secure Shell daemon on a Debian GNU/Linux Wheezy, only /var/log/auth.log is filled. The file /var/log/btmp is always empty, therefore it is impossible to get the list of failed logins by means of running the lastb command.
Logging to /var/log/btmp is disabled
On a Debian/GNU Linux Jessie box, the logging facility to /var/log/btmp is enabled and working fine. First thing to notice is that whereas the Debian Jessie box sshd binary does have the string “btmp”, the Wheezy one does not:
root@jessie:~# strings /usr/sbin/sshd |grep btmp
/var/log/btmp
Unable to open the btmp file %s: %sroot@wheezy:~# strings /usr/sbin/sshd |grep btmp
As clearly shown above, the Wheezy version does not have support for logging the failed logins to /var/log/btmp.
To determine why, I downloaded the Debian Wheezy openssh package sources, and had a quick look using the grep utility inside them:
root@wheezy:~# grep -R “btmp” *
ChangeLog: – (djm) [loginrec.c] Relax permission requirement on btmp logs to allow
config.h.in:/* Use btmp to log bad logins */
configure:$as_echo “#define _PATH_BTMP \”/var/log/btmp\”” >>confdefs.h
configure:$as_echo “#define _PATH_BTMP \”/var/log/btmp\”” >>confdefs.h
configure.ac: AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
configure.ac: AC_DEFINE([_PATH_BTMP], [“/var/log/btmp”], [log for bad login attempts])
configure.ac: AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
configure.ac: AC_DEFINE([_PATH_BTMP], [“/var/log/btmp”], [log for bad login attempts])
debian/patches/gssapi.patch: /* Use btmp to log bad logins */
debian/changelog: * Disable btmp logging, since Debian’s /var/log/btmp has inappropriate
debian/rules: # Debian’s /var/log/btmp has inappropriate permissions.
loginrec.c: * The btmp logging code is derived from login.c from util-linux and is under
loginrec.c: debug(“Unable to open the btmp file %s: %s”, _PATH_BTMP,
Editing debian/rules, I found the lines that clearly unset the USE_BTMP pre-processor directive:
override_dh_auto_build:
# Debian’s /var/log/btmp has inappropriate permissions.
perl -pi -e ‘s,.*#define USE_BTMP .*,/* #undef USE_BTMP */,’ build-deb/config.h
perl -pi -e ‘s,.*#define USE_BTMP .*,/* #undef USE_BTMP */,’ build-udeb/config.h
Therefore, there’s no support for /var/log/btmp enabled by default on a Debian Wheezy box. This is, in fact, a reported BUG on the Debian Bug Tracking System. According to it, this functionality has been already re-enabled starting from Debian GNU/Linux ssh package version 1:6.6p1-1.
Fixing the issue
The easiest way is to add the Wheezy-Backports repository to apt, and install openssh from it. Having a quick look at the Debian Backports project, we can clearly see that its openssh version is 1:6.6p1-4~bpo70+1, and it is pretty obvious that 1:6.6p1-4~bpo70+1 > 1:6.6p1-1, therefore there is support for logging the failed login attempts to /var/log/btmp:
root@wheezy:~# apt-get -t wheezy-backports install ssh
Just in case, we can change the /var/log/btmp file permissions this way:
root@wheezy:~# chmod 600 /var/log/btmp
And now, every single failed login attempt against the sshd daemon will be logged to /var/log/btmp.