DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 31st May 2020
k1elt k1elt is offline
New User
 
Join Date: May 2020
Location: Hartford
Posts: 2
Unhappy /var/log/failedlogin and lastlog are huge (~6 GB)

Hi everyone,

My /var is filling up.

Two files in /var/log look abnormally huge:
  • failedlogin (5.1 G)
  • lastlog (5.7 G)
I tried searching for answers to the following questions but my Google skills failed me.
  1. How do you view the /var/log/failedlogin and /var/log/lastlog files?
  2. Can I (should I) limit the size of these logs to prevent them from getting this bloated?
  3. Can I limit the size of these by editing the newsyslog.conf file or does that only work with readable (non-binary) log files?
Reply With Quote
  #2   (View Single Post)  
Old 31st May 2020
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

I suppose these logs are from computer connected to Internet and mostly these are failed attempts from some kind of remote attack. I don't think that at that point it is worth to inspect these files manually except for purpose of writing a script extracting most common misbehaving IPs.

Yes, you should limit theirs size. Apart from measures such as log rotation another common advice is to use pf for blocklisting IP attempting to log in too many times in too short time span.
As an less common, additional measure some people advice to make filesystem for /var/log on separate partition, because it's faster to create new filesystem from scratch and extract needed files from appropriate tarball than to remove big and fragmented files.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #3   (View Single Post)  
Old 31st May 2020
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

Personally I would create compressed backup of these files first then empty/truncate file using:
Code:
echo "" > /var/log/failedlogin
Remember to backup it first before running this command.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #4   (View Single Post)  
Old 31st May 2020
k1elt k1elt is offline
New User
 
Join Date: May 2020
Location: Hartford
Posts: 2
Smile

Quote:
Originally Posted by e1-531g View Post
I suppose these logs are from computer connected to Internet and mostly these are failed attempts from some kind of remote attack. I don't think that at that point it is worth to inspect these files manually except for purpose of writing a script extracting most common misbehaving IPs.
Yes, this OpenBSD computer is connected directly to my cable modem and is my router for my home network.

I guess it's safe for me to stop worrying about what is in /var/log/failedlogin since my sshd only accepts keys.

Quote:
Yes, you should limit theirs size. Apart from measures such as log rotation another common advice is to use pf for blocklisting IP attempting to log in too many times in too short time span.
As an less common, additional measure some people advice to make filesystem for /var/log on separate partition, because it's faster to create new filesystem from scratch and extract needed files from appropriate tarball than to remove big and fragmented files.
Ok, that's some homework for me.
I will look into:
  1. pf blocking
  2. possible reinstall with /var/log on its own partition

I'll also backup the /var/log/failedlogin before I zero it out per you instructions.

Thank you very much for your response. I appreciate your help.
Reply With Quote
  #5   (View Single Post)  
Old 31st May 2020
bsdun bsdun is offline
Real Name: Steve
Fdisk Soldier
 
Join Date: Feb 2020
Posts: 48
Default

Quote:
Originally Posted by k1elt View Post
<...>
I will look into:
  1. pf blocking
<...>
There is an amazing book about pf: Book of PF, 3rd Edition by Peter N. M. Hansteen.
Reply With Quote
  #6   (View Single Post)  
Old 31st May 2020
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

Quote:
Originally Posted by k1elt View Post
I tried searching for answers to the following questions but my Google skills failed me.
Search the manpages instead. Use man -k or apropos.

man -k any=<something>

Quote:
  1. How do you view the /var/log/failedlogin and /var/log/lastlog files?
  2. Can I (should I) limit the size of these logs to prevent them from getting this bloated?
  3. Can I limit the size of these by editing the newsyslog.conf file or does that only work with readable (non-binary) log files?
1. last(1), I think. I don't seem to have anything in mine.
2. Yes, but definitely see why they are filling up. Mine are tiny.
3. newsyslog.conf(5) pay attention to the flags field. /var/log/wtmp is a similar log for an existing example.
Reply With Quote
  #7   (View Single Post)  
Old 1st June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Hello, and welcome!

My recollection is that sshd(8) logs failed attempts in /var/log/authlog, and if passwords are not permitted login(1) won't be called. Either I'm wrong in my recollection, or perhaps you have a provisioning error permiting passwords or command/response.

My sshd(8) services are protected by PF. Since the only ssh clients connecting to my Internet-facing servers are running OpenBSD, I use OS fingerprinting to block traffic from any other OS. And even then, keys with passphrases are required.
Reply With Quote
  #8   (View Single Post)  
Old 31st October 2020
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Add ip from /var/log/authlog to pf

See my post : http://daemonforums.org/showthread.php?t=10115

It is an old post, not optimal solution, but enoguhe to get you started.

Good idea to do something :

Let PF stop some attackes
Log file becomes more easy to learn from, since there is less data to comprehend.
Save disk space
Reply With Quote
  #9   (View Single Post)  
Old 1st November 2020
johnR johnR is offline
Fdisk Soldier
 
Join Date: Nov 2017
Posts: 57
Default

Quote:
Originally Posted by k1elt View Post
  • How do you view the /var/log/failedlogin and /var/log/lastlog files?
I too am wondering how to do this. Unlike most of the other log files, these contain binary data and can't be read in a text viewer. So far I've been unable to find an answer either in the man pages or by a web search.

EDIT - Just noticed last(1) was mentioned in an earlier post, but that doesn't appear to be using the lastlog file (it shows a lot of info even after clearing the lastlog file).

Last edited by johnR; 1st November 2020 at 09:29 AM.
Reply With Quote
Old 1st November 2020
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

Does the -f option of last(1) help?
Reply With Quote
Old 1st November 2020
johnR johnR is offline
Fdisk Soldier
 
Join Date: Nov 2017
Posts: 57
Default

Quote:
Originally Posted by IdOp View Post
Does the -f option of last(1) help?
That works. Thanks!
Reply With Quote
Reply

Tags
logs

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DigiNotar hacker says he stole huge GlobalSign cache J65nko News 1 8th September 2011 03:51 AM
phpMyAdmin 3.4.0 is a "huge step" J65nko News 0 12th May 2011 07:19 PM
Linus Torvalds calls Linux 'bloated and huge' vermaden News 5 31st March 2010 10:33 PM
Huge FTP transfer file fragmentation problem under Windows eakinasila Other OS 2 13th December 2009 02:50 PM


All times are GMT. The time now is 06:04 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick