BTMP data will contain the data for bad login attempts under /var/run/btmp. The BTMP file will reveal invalid login attempts and where they originated.


The data here shows not only the invalid login date, but if available the previous entry date which can be used to help bracket times in the event the log file was tampered with to hide activity.

{
    "entry_number": 0,
    "type": 0,
    "type_name": "",
    "pid": 0,
    "device": "",
    "id": "",
    "username": "",
    "hostname": "",
    "exit_status": {
        "termination": 0,
        "exit": 0
    },
    "session": 0,
    "date": {
        "created": "",
        "created_previous_entry": "",
        "created_minutes": 0
    },
    "ip_address": "",
    "reserved": ""
}



Previous
Previous Article:

Next Article:
Next