/dev/root size keeps going up

Hi,

I have been noticing my new Linode's df -m values everyday and they have been increasing more and more. Here's the output from today

root@hydrogen:~# df -m
Filesystem     1M-blocks  Used Available Use% Mounted on
/dev/root          19907  1428     17453   8% /
devtmpfs             492     0       492   0% /dev
tmpfs                495     0       495   0% /dev/shm
tmpfs                495    51       444  11% /run
tmpfs                  5     0         5   0% /run/lock
tmpfs                495     0       495   0% /sys/fs/cgroup
tmpfs                 99     0        99   0% /run/user/0

Are these the log files? Because in just 4 days they've crept up to 8% + 11% im fearing that they will consume all my server space soon. Any idea if it is the logs how to clear them out?

Thanks

6 Replies

The best way to know if it's the log files is to check. /var/log/ is where most of them will be located. You can keep log files trimmed and maintained by "rotating" them. More info here: http://linuxcommand.org/man_pages/logrotate8.html

Thanks for your reply, I have monitored /var/log through the du-sh command and found that the btmp file is increasing massive amounts every day. Could you please tell me what I can do to stop it growing, and can I delete it in the meantime It is occupying 700MB now!

Did you see that I recommended logrotate?

What logrotate does is split your log file into multiple files, and then you can choose for how many days or what file you size want before it starts to delete old logs. I don't know what distro you're running but I suggest Googling for "logrotate" and your distro.

Some more information on logrotate: http://www.thegeekstuff.com/2010/07/logrotate-examples

Thanks I will check it out.

I am sorry but the user FelicianoTech above gave some horrible advice.

The file /var/log/btmp contains bad/failed login attempts and should be taken seriously, not just logrotate'ed. First read the man page for "lastb" (man lastb) and see the command line parameters. Then see who is brute forcing your server and which particular service they are hitting.

For example, if you see brute force attacks on the ssh port, then it is a good idea to change the port and add some extra protection layer (like whitelisted IP addresses, disable password logins and enforce keys, etc). But it all depends on the service that is being abused.

Once you solve the brute force problem, you may see how to logrorate the btmp file.

If your btmp file is growing into a huge size, then someone is trying to brute force your server. You should use something like fail2ban or similar, to slow down the attackers.

Every failed login attempt, gets logged in btmp.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct