How to Use last and lastb for User Login History
Tracking user login history is an essential aspect of system administration, security auditing, and troubleshooting in Linux and Unix-like operating systems. Two valuable command-line tools that help in monitoring user logins are last and lastb. This article will delve into these commands, their functionalities, and how to use them effectively to maintain and review user login history.
Understanding the Basics
Before we dive into the commands themselves, it is crucial to understand what they do:
- last: This command displays the login history of users. It retrieves data from the /var/log/wtmp file, which records all login sessions, including successful and terminated logins.
- lastb: In contrast, lastb shows the login attempts that failed. It retrieves its information from the /var/log/btmp file, which keeps track of unsuccessful login attempts. This can be particularly useful for identifying potential security threats, such as unauthorized access attempts.
Installing Required Packages
Before using these commands, ensure that your Linux distribution has them installed. Most distributions come with last and lastb pre-installed, but if you encounter issues, you can install them via your package manager. For instance, on Debian-based systems like Ubuntu, you can use:
sudo apt update
sudo apt install util-linux
On Red Hat-based systems like CentOS, you can run:
sudo yum install util-linux
Using the last Command
The last command is straightforward and user-friendly. To see the login history, simply open your terminal and type:
last
This command will display a list of the most recent logins, including the username, terminal, IP address (if applicable), and login time. The output may look something like this:
username pts/0 192.168.1.10 Mon Oct 15 10:23 – 10:40 (00:16)
username pts/1 192.168.1.12 Mon Oct 15 09:15 – 09:30 (00:14)
Options for last
- Limit the number of entries: If you want to limit the output to a certain number of entries, you can specify the number directly. For example, to display the last 5 logins, use:
last -n 5
- Show logins for a specific user: To filter the logins by a specific user, add the username at the end of the command. For instance:
last username
- Display logs for a specific terminal: You can also view logs for a particular terminal, like tty1 or pts/0:
last pts/0
- Use the -F option: If you want to see the full date and time format for logins, use:
last -F
Using the lastb Command
The lastb command works similarly to last, but it focuses on failed login attempts. This is vital for security monitoring. To see the failed login attempts, type:
lastb
The output will include information about failed logins, including the username and IP address from which the login was attempted:
username pts/0 192.168.1.14 Mon Oct 15 10:00 – 10:01 (00:00)
Options for lastb
Limit the number of entries: Similar to last, you can limit the output. For example, to view the last 5 failed login attempts:
lastb -n 5
- Filter by user: You can also check failed attempts for a specific user:
lastb username
- Check for a specific terminal: This can also be done with lastb, allowing you to investigate particular sessions:
lastb pts/0
- Username: The account name of the user who logged in.
- Terminal: Indicates the terminal line used for the login.
- IP Address: Shows the IP address from where the login occurred (if applicable).
- Date and Time: The login date and time.
- Duration: The duration of the session. If the user is currently logged in, it will show the time they have been logged in.
Interpreting lastb Output
The output structure is similar to last, but it focuses on failed attempts. Here, pay attention to:
- Frequent Failed Attempts: A user with many failed attempts may indicate a brute-force attack.
Unknown Users: If you notice attempts to log in with unknown usernames, it’s crucial to investigate further.
