Latest Tweets

/var/log/btmp on Debian Wheezy is always empty (lastb does not show entries)

The issue

Whenever a bad login attempt is made against the Secure Shell daemon on a Debian GNU/Linux Wheezy, only /var/log/auth.log is filled. The file /var/log/btmp is always empty, therefore it is impossible to get the list of failed logins by means of running the lastb command.

Logging to /var/log/btmp is disabled

On a Debian/GNU Linux Jessie box, the logging facility to /var/log/btmp is enabled and working fine. First thing to notice is that whereas the Debian Jessie box sshd binary does have the string “btmp”, the Wheezy one does not:

root@jessie:~# strings /usr/sbin/sshd |grep btmp
Unable to open the btmp file %s: %s

root@wheezy:~# strings /usr/sbin/sshd |grep btmp

As clearly shown above, the Wheezy version does not have support for logging the failed logins to /var/log/btmp.

To determine why, I downloaded the Debian Wheezy openssh package sources, and had a quick look using the grep utility inside them:

root@wheezy:~# grep -R “btmp” *
ChangeLog: – (djm) [loginrec.c] Relax permission requirement on btmp logs to allow* Use btmp to log bad logins */
configure:$as_echo “#define _PATH_BTMP \”/var/log/btmp\”” >>confdefs.h
configure:$as_echo “#define _PATH_BTMP \”/var/log/btmp\”” >>confdefs.h AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins]) AC_DEFINE([_PATH_BTMP], [“/var/log/btmp”], [log for bad login attempts]) AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins]) AC_DEFINE([_PATH_BTMP], [“/var/log/btmp”], [log for bad login attempts])
debian/patches/gssapi.patch: /* Use btmp to log bad logins */
debian/changelog: * Disable btmp logging, since Debian’s /var/log/btmp has inappropriate
debian/rules: # Debian’s /var/log/btmp has inappropriate permissions.
loginrec.c: * The btmp logging code is derived from login.c from util-linux and is under
loginrec.c: debug(“Unable to open the btmp file %s: %s”, _PATH_BTMP,

Editing debian/rules, I found the lines that clearly unset the USE_BTMP pre-processor directive:

# Debian’s /var/log/btmp has inappropriate permissions.
perl -pi -e ‘s,.*#define USE_BTMP .*,/* #undef USE_BTMP */,’ build-deb/config.h
perl -pi -e ‘s,.*#define USE_BTMP .*,/* #undef USE_BTMP */,’ build-udeb/config.h

Therefore, there’s no support for /var/log/btmp enabled by default on a Debian Wheezy box. This is, in fact, a reported BUG on the Debian Bug Tracking SystemAccording to it, this functionality has been already re-enabled starting from Debian GNU/Linux ssh package version 1:6.6p1-1.

Fixing the issue

The easiest way is to add the Wheezy-Backports repository to apt, and install openssh from it. Having a quick look at the Debian Backports project, we can clearly see that its openssh version is 1:6.6p1-4~bpo70+1, and it is pretty obvious that 1:6.6p1-4~bpo70+1 > 1:6.6p1-1, therefore there is support for logging the failed login attempts to /var/log/btmp:

root@wheezy:~# apt-get -t wheezy-backports install ssh

Just in case, we can change the /var/log/btmp file permissions this way:

root@wheezy:~# chmod 600 /var/log/btmp

And now, every single failed login attempt against the sshd daemon will be logged to /var/log/btmp.