last and lastb – Command Explained

last and lastb – Command Explained

by -
0 809

As a linux engineer, We have to protect your server. Not only from the outside, but you have to protect it from the inside. Linux has one built-in command to see who is the last logged in user into your server. Very useful in security audit.  The last command reads listing of last successfully logged in users from the system file called /var/log/wtmp.

Example:

[root@localhost ~]# last
root     pts/2        192.168.0.155    Fri Jul 29 23:16   still logged in
vikas    pts/1        192.168.0.155    Fri Jul 29 23:16   still logged in
vikas    pts/2        192.168.0.155    Fri Jul 29 22:07 – 23:15  (01:08)
root     pts/1        192.168.0.155    Fri Jul 29 22:05 – 22:17  (00:12)
root     pts/0        192.168.0.155    Fri Jul 29 21:31   still logged in
root     tty1                                         Fri Jul 29 21:30   still logged in
reboot   system boot  2.6.32-431.el6.x Fri Jul 29 21:29 – 00:18  (02:48)
root     pts/0        192.168.0.155    Thu Jul 28 23:44 – 01:55  (02:10)
root     tty1                                         Thu Jul 28 23:05 – crash  (22:24)
reboot   system boot  2.6.32-431.el6.x Thu Jul 28 23:05 – 00:18 (1+01:13)
user1    pts/1        192.168.0.212    Wed Jul 27 18:37 – 18:46  (00:08)
root     pts/0        192.168.0.212    Wed Jul 27 23:47 – 19:25  (-4:-21)
reboot   system boot  2.6.32-431.el6.x Wed Jul 27 17:25 – 00:18 (2+06:53)
reboot   system boot  2.6.32-431.el6.x Tue Jul 26 17:15 – 00:18 (3+07:03)
root     pts/1        192.168.0.212    Mon Jul 25 22:05 – 23:56  (01:51)
root     pts/1        192.168.0.38     Mon Jul 25 20:49 – 21:07  (00:18)
root     pts/0        192.168.0.212    Mon Jul 25 20:27 – 22:28  (02:00)
root     tty1                                        Mon Jul 25 20:25 – crash  (20:49)
root     pts/0        192.168.0.212    Mon Jul 25 19:46 – 20:27  (00:41)
reboot   system boot  2.6.32-431.el6.x Mon Jul 25 16:43 – 00:18 (4+07:35)
root     pts/0        192.168.0.212    Sat Jul 23 21:13 – 23:19  (02:05)
root     tty1                                           Sat Jul 23 21:12 – crash (1+19:31)
root     pts/0        192.168.0.212    Sat Jul 23 21:07 – 21:12  (00:05)
root     pts/0        192.168.0.41     Sat Jul 23 17:39 – 19:08  (01:28)
reboot   system boot  2.6.32-431.el6.x Sat Jul 23 17:00 – 00:18 (6+07:18)
root     pts/0        192.168.0.74     Fri Jul 22 19:20 – crash  (21:39)
root     pts/0        192.168.0.25     Fri Jul 22 18:11 – 18:11  (00:00)
root     tty1                                        Fri Jul 22 17:21 – crash  (23:38)
reboot   system boot  2.6.32-431.el6.x Fri Jul 22 17:21 – 00:18 (7+06:57)
root     pts/0        192.168.0.155    Wed Jul 20 20:31 – 21:29  (00:58)
root     tty1                                         Wed Jul 20 20:27 – crash (1+20:53)
reboot   system boot  2.6.32-431.el6.x Wed Jul 20 20:27 – 00:18 (9+03:51)

wtmp begins Wed Jul 20 20:27:31 2016
[root@localhost ~]#

Where …

Column 1:  Who are the user
Column 2: How the user is connected ( pts,tty ) (pseudo terminal,teletypewriter)
Column 3: How where the user come from
Column 4: When the log activity has happened

Examples;

who logged in tty1 ( last history)

[root@localhost ~]# last tty1
root     tty1                          Fri Jul 29 21:30   still logged in
root     tty1                          Thu Jul 28 23:05 – crash  (22:24)
root     tty1                          Mon Jul 25 20:25 – crash  (20:49)
root     tty1                          Sat Jul 23 21:12 – crash (1+19:31)
root     tty1                          Fri Jul 22 17:21 – crash  (23:38)
root     tty1                          Wed Jul 20 20:27 – crash (1+20:53)

wtmp begins Wed Jul 20 20:27:31 2016
[root@localhost ~]#

Login details for user vikas

[root@localhost ~]# last vikas
vikas    pts/1        192.168.0.155    Fri Jul 29 23:16 – 00:32  (01:15)
vikas    pts/2        192.168.0.155    Fri Jul 29 22:07 – 23:15  (01:08)

wtmp begins Wed Jul 20 20:27:31 2016
[root@localhost ~]#

Login details in full view

[root@localhost ~]# last -F vikas
vikas    pts/1        192.168.0.155    Fri Jul 29 23:16:52 2016 – Sat Jul 30 00:32:13 2016  (01:15)
vikas    pts/2        192.168.0.155    Fri Jul 29 22:07:35 2016 – Fri Jul 29 23:15:42 2016  (01:08)

wtmp begins Wed Jul 20 20:27:31 2016
[root@localhost ~]#

Last reboot status

[root@localhost ~]# last reboot
reboot   system boot  2.6.32-431.el6.x Fri Jul 29 21:29 – 00:34  (03:04)
reboot   system boot  2.6.32-431.el6.x Thu Jul 28 23:05 – 00:34 (1+01:28)
reboot   system boot  2.6.32-431.el6.x Wed Jul 27 17:25 – 00:34 (2+07:08)
reboot   system boot  2.6.32-431.el6.x Tue Jul 26 17:15 – 00:34 (3+07:18)
reboot   system boot  2.6.32-431.el6.x Mon Jul 25 16:43 – 00:34 (4+07:50)
reboot   system boot  2.6.32-431.el6.x Sat Jul 23 17:00 – 00:34 (6+07:33)
reboot   system boot  2.6.32-431.el6.x Fri Jul 22 17:21 – 00:34 (7+07:12)
reboot   system boot  2.6.32-431.el6.x Wed Jul 20 20:27 – 00:34 (9+04:06)

wtmp begins Wed Jul 20 20:27:31 2016
[root@localhost ~]#

Use another file than /var/log/wtmp

By default, last command will parse information from /var/log/wtmp. If you want the last command parse from another file, you can use -f parameter. For example, you may rotate the log after a certain condition. Let’s say the previous file is named /var/log/wtmp.1 . Then the last command will be like this.

# last -f /var/log/wtmp.1

View bad logins

While last command logs successful logins, then lastb command record failed login attempts. You must have root access to run lastb command. Here’s a sample output from lastb command. Lastb will parse information from /var/log/btmp.

[root@localhost log]# lastb
vikass   ssh:notty    192.168.0.155    Fri Jul 29 22:06 – 22:06  (00:00)      <—-showing unsuccessful login

btmp begins Fri Jul 29 22:06:21 2016
[root@localhost log]#

[root@localhost log]# lastb -F
vikass   ssh:notty    192.168.0.155    Fri Jul 29 22:06:21 2016 – Fri Jul 29 22:06:21 2016  (00:00)     <—–full view

btmp begins Fri Jul 29 22:06:21 2016
[root@localhost log]#

 

Enjoy Linux ………!!

CEO, KV IT-Solutions Pvt. Ltd. | vikas@kvit.in | 9810028374|
Linux Professional and an Industrial Trainer | 20 + years Experience in IT Industry

” We are born free, No Gate and Windows can snatch our freedom “

Download PDF

SIMILAR ARTICLES

0 1123

0 790

0 750

1 758

NO COMMENTS

Leave a Reply

Required Captcha *