Previously, I explored how to view all the users that are currently logged into my Linux server. A natural extension to that desire is to see all users who have logged into the server in the past. While current users are kept track of with the utmp file, past logins and logouts are kept track of in the wtmp/wtmpx file.
One way is to use the `last` command. My regular work laptop’s `last` output is rather boring:
wesley pts/7 :0.0 Wed Feb 15 19:57 - 20:42 (00:44) wesley pts/6 :0.0 Tue Feb 14 20:53 - 21:18 (00:25) wesley pts/5 :0.0 Tue Feb 14 20:46 still logged in wesley pts/4 :0.0 Tue Feb 14 17:02 - 20:46 (03:43) wesley pts/3 :0.0 Tue Feb 14 16:34 still logged in wesley pts/2 :0.0 Tue Feb 14 16:25 - 16:26 (00:01) wesley pts/1 :0.0 Tue Feb 14 16:24 still logged in wesley tty1 :0 Tue Feb 14 12:28 still logged in reboot system boot 22.214.171.124-97.fc1 Tue Feb 14 12:27 - 22:41 (1+10:14) wesley tty1 :0 Tue Feb 14 09:19 - down (00:58)
If there is a specific user that you’d like to hone in on, use last [username] thusly:
# last root root pts/0 [ip removed]. Tue Feb 14 18:22 still logged in root pts/0 [ip removed]. Sun Feb 12 00:42 - 01:50 (01:07) root pts/0 [ip removed]. Sat Feb 11 16:24 - 19:41 (03:17) root pts/0 [ip removed]. Sat Feb 11 16:21 - 16:23 (00:02)
A useful switch when trying to hone in on remote logins is the -a switch which appends hostnames to the end of the table. -d will do a reverse lookup on remote IP addresses as well. A useful way to use this would be to see from which IP addresses and hosts a certain user account accesses your server. In my case, I know that only two people should theoretically have access to a certain FTP address. If I see that user account logging in from IP blocks in Namibia, I should probably be worred.
Another place to look for past logins is in /var/log/secure log files. They will also show failed login attempts. You could perform the following to find certain strings that show whatever events you’re interested in:
cat secure* | grep Accepted
However you will be in peril of winning a “Useless Use of Cat Award“.
A similar but different command is `lastlog` that by default prints out each user account that is on your machine along with the the account’s last login time.
someuser@someserver [/]# lastlog Username Port From Latest someuser pts/0 [ip removed]. Tue Feb 14 18:22:32 -0500 2012 bin **Never logged in** daemon **Never logged in** adm **Never logged in** lp **Never logged in**
Lastlog itself merely scrys into /var/log/lastlog. You can modify the date from which it looks back to see when the last login occurred.
As a bonus, try `lastb` to see all the failed login attempts on your machine. Prepare to weep.
How do you figure out who was logged into your server and when? What better tools do you know of? I know none of the above are truly audit-level methods. Let me know in the comments below.