Check the login history on your server

Linux has a command to allow you to see details about the last logins on the server. The command is last with a sister command lastb. We’ll discuss a little both of them.

Using the last command without any arguments and you will see the full list of logins. Linux keep this list in /var/log/wtmp. Use the command like last -n and you will see the last n logins, like:

root@web [~]# last -6
root     pts/0        192.168.2.33    Fri May 12 11:04   still logged in
root     pts/0        192.168.2.33    Wed May  3 14:42 - 16:20  (01:38)
root     pts/0        192.168.2.33    Mon May  1 07:50 - 09:07  (01:17)
root     pts/0        192.168.2.9     Fri Apr 28 12:19 - 14:29  (02:09)
root     pts/0        192.168.2.9     Thu Apr 27 06:08 - 09:17  (03:09)
root     pts/0        192.168.2.9     Sun Apr 23 11:29 - 12:20  (00:50)

wtmp begins Mon Aug 24 11:33:10 2015
root@web [~]#

To see the last logins for a specific user, use last -n user. The syntax of the command is:

Usage: last [-num | -n num] [-f file] [-t YYYYMMDDHHMMSS] [-R] [-adioxFw] [username..] [tty..]
-num = how many entries the command will show
-f = what file to use; by default the command will read data from /var/log/wtmp file
-t = look for the logins on a specific date
-R = the IP/hostname will not be displayed
-F = print full login and logout dates
-w = display full username and domains

For example, to display the last three full dates of logins/logouts for user root, use:

root@web [~]# last -3 -F root
root     pts/0        192.168.2.33     Fri May 12 11:04:30 2017   still logged in
root     pts/0        192.168.2.33     Wed May  3 14:42:05 2017 - Wed May  3 16:20:11 2017  (01:38)
root     pts/0        192.168.2.33     Mon May  1 07:50:57 2017 - Mon May  1 09:07:59 2017  (01:17)

wtmp begins Mon Aug 24 11:33:10 2015
root@web [~]#

The lastb command has the same options as last command and it will display the failed logins. This command takes data from the /var/log/btmp file. A sample output looks like:

root@web [~]# lastb -5
friends  ssh:notty    220.225.230.1    Fri May 12 00:20 - 00:20  (00:00)
friends  ssh:notty    220.225.230.1    Fri May 12 00:20 - 00:20  (00:00)
friends  ssh:notty    220.225.230.1    Fri May 12 00:20 - 00:20  (00:00)
friends  ssh:notty    220.225.230.1    Fri May 12 00:20 - 00:20  (00:00)
test1    ssh:notty    220.225.230.1    Thu May 11 00:09 - 00:09  (00:00)

btmp begins Tue May  2 19:57:23 2017
root@web [~]#

The lastb syntax is:

Usage: lastb [-num | -n num] [-f file] [-t YYYYMMDDHHMMSS] [-R] [-adioxFw] [username..] [tty..]

Leave a Reply