How to Clear and Delete Last Logged In Users and Bad Login Attemps Log (wtmp and btmp)

In Linux and Unix operating system, it’s possible to use “last” command to display and show the last logged in (and out) users history, and “lastb” command to show and display all the bad login attempts. The users’ login history is been logged and saved in wtmp file while faild login attempts is been stored in btmp file, both files usually located in /var/log directory.

The logging of information into wtmp and btmp is continuous, and can potentially make the wtmp and btmp files grow very to a very big size. The situation is especially true to btmp, which logs failed or bad login attemps to the system, if the administrator does not disable FTP or SSH password authentication, and the server is been attacked via brute-force breaking in attempts, where any wrong user name or incorrect password been logged to btmp.

In addition, administrator may also want to clear and erase the history of login history once in a while. Or, system that running low or almost running out of disk space on /var may want to purge and delete the wtmp and btmp to reclaim and save some disk space.

In any case, the proper way to clear and reset wtmp and btmp files is by piping a blank input to the file, overwriting and replace all existing content. The command that can be used has the syntax like below:

cat /dev/null > /var/log/wtmp

or, on some system, simply like below:

> /var/log/wtmp

Note: Change the path and file name (i.e. btmp) accordingly.

Above commands will remove, clear and empty the content of the btmp or wtmp files, allowing new information to be started logging afresh again. The file is not been deleted or erased, and is leaved intact, as the btmp and wtmp files will not be recreated when not found. The system only logs information into these files if they are present.

Tip: For people who has already deleted the wtmp and btmp files, just re-create the file by touch command, and assign a proper permissions to the file (-rw-rw-r– root utmp or -rw—— root utmp btmp), or else “Excess permission or bad ownership on file /var/log/btmp or /var/log/wtmp” may occur.

Note that there may be files named as wtmp.1, wtmp.2 wtmp.3, wtmp.4, btmp.1, btmp.2, btmp.3, btmp.4, which are the backup archives, and can be safely removed or deleted.