|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
/var/log/failedlogin and lastlog are huge (~6 GB)
Hi everyone,
My /var is filling up. Two files in /var/log look abnormally huge:
|
|
|||
I suppose these logs are from computer connected to Internet and mostly these are failed attempts from some kind of remote attack. I don't think that at that point it is worth to inspect these files manually except for purpose of writing a script extracting most common misbehaving IPs.
Yes, you should limit theirs size. Apart from measures such as log rotation another common advice is to use pf for blocklisting IP attempting to log in too many times in too short time span. As an less common, additional measure some people advice to make filesystem for /var/log on separate partition, because it's faster to create new filesystem from scratch and extract needed files from appropriate tarball than to remove big and fragmented files.
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
|||
Personally I would create compressed backup of these files first then empty/truncate file using:
Code:
echo "" > /var/log/failedlogin
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
|||
Quote:
I guess it's safe for me to stop worrying about what is in /var/log/failedlogin since my sshd only accepts keys. Quote:
I will look into:
I'll also backup the /var/log/failedlogin before I zero it out per you instructions. Thank you very much for your response. I appreciate your help. |
|
|||
There is an amazing book about pf: Book of PF, 3rd Edition by Peter N. M. Hansteen.
|
|
|||
Quote:
man -k any=<something> Quote:
2. Yes, but definitely see why they are filling up. Mine are tiny. 3. newsyslog.conf(5) pay attention to the flags field. /var/log/wtmp is a similar log for an existing example. |
|
|||
Add ip from /var/log/authlog to pf
See my post : http://daemonforums.org/showthread.php?t=10115 It is an old post, not optimal solution, but enoguhe to get you started. Good idea to do something : Let PF stop some attackes Log file becomes more easy to learn from, since there is less data to comprehend. Save disk space |
|
|||
Quote:
EDIT - Just noticed last(1) was mentioned in an earlier post, but that doesn't appear to be using the lastlog file (it shows a lot of info even after clearing the lastlog file). Last edited by johnR; 1st November 2020 at 09:29 AM. |
|
||||
Does the -f option of last(1) help?
|
|
|||
Quote:
|
Tags |
logs |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
DigiNotar hacker says he stole huge GlobalSign cache | J65nko | News | 1 | 8th September 2011 03:51 AM |
phpMyAdmin 3.4.0 is a "huge step" | J65nko | News | 0 | 12th May 2011 07:19 PM |
Linus Torvalds calls Linux 'bloated and huge' | vermaden | News | 5 | 31st March 2010 10:33 PM |
Huge FTP transfer file fragmentation problem under Windows | eakinasila | Other OS | 2 | 13th December 2009 02:50 PM |