/var/log/btmp is the file that is supposed to contain all the bad login attempts (at least that was the case on Fedora). On my Debian GNU/Linux 5.0 server, it's empty. The permissions were originally:
-rw-rw---- 1 root utmp 0 Jul 1 06:25 /var/log/btmp
but I changed them to:
-rw------- 1 root root 0 Jul 1 06:25 /var/log/btmp
but that didn't work either. I'm still not seeing anything in btmp (and yes, I'm creating bad login attempts to test it).
I've Googled my brains out, but can't find a fix. Any ideas?
Best Answer
I think this is a problem with openssh. I tested this on an Ubuntu system and bad ssh login attempts get logged to
/var/log/auth.logbut not tobtmp. At the console, bad login attempts do go tobtmp.In Google searches, I'm seeing reports of this going back to 2006-2007.