Who, when and where? According to good security practices, you must know who is accessing your Linux computer. We show you how.
The wtmp file
Linux and other Unix-like operating systems such as MacOS are very good for logging. Somewhere in the bowels of the system, there is a log that contains just about anything you can think of. The log file we are interested in is called wtmp. The "w" could mean "when" or "who" – no one seems to agree. The "tmp" part probably means "temporary", but can also mean "timestamp".
What we do know is that wtmp is a log that records and records each connection and disconnect event. Examining the data in the wtmp log is a fundamental step to take a security-oriented approach in your system administration tasks. For a typical home computer, security may not be as critical, but it's worth looking at your combined use of the computer.
Unlike most Linux text log files, wtmp is a binary file. To access the data it contains, we must use a tool designed for this task.
This tool is the last order.
The last order
The last command reads the wtmp log data and displays it in a terminal window.
If you type last and press Enter, it will be view all records from the log file.
Each record of wtmp is displayed in the terminal window.
From left to right, each line contains:
The user name of the person who has logged on.
The terminal to which they were connected. A terminal entry of: 0 means that they have been connected to the Linux computer itself.
The IP address of the machine to which they were connected.
The time of connection and the time stamp.
The duration of the session
The last line tells us the date and time of the first session recorded in the log.
A login for the fictitious user 'reboot' is written to the log each time the computer is started. The terminal field is replaced by the kernel version. The duration of the connected session for these entries represents the time of availability of the computer.
Display of a specific number of lines
The use of the last command alone generates a flush of the entire log, most of which passes beyond the terminal window. The part that remains visible corresponds to the oldest data of the newspaper. This is probably not what you wanted to see.
You can say last to give you a specific number of output lines. To do this, specify the number of lines you want on the command line. Note the hyphen. To see five lines, you must type -5 instead of 5:
This gives the first five lines of the log, which are the most recent data.
Display network names for remote users
The -d (Domain Name System) option tells the last to try to resolve the IP addresses of remote users to a machine or network name.
For the last time, it is not always possible to convert the IP address to a network name, but the command will do it when it can.
Hiding IP addresses and network names
If you are not interested in the IP address or network name, use the -R (no hostname) option to remove this field.
Since this gives a sharper output without ugly envelopes, this option has been used in all of the following examples. If you used last to try to identify unusual or suspicious activity, you would not delete this field.
Selecting records by date
You can use the -s (since) option to limit the output to only show connection events that have occurred since a given date.
If you only want to see login events that occurred on May 26, 2019, use the following command:
last -R -s 2019-05-26
The output displays the records with the connection events that took place from the 00:00 time on the specified day, to the most recent log file records.
Search until end date
You can use the -t (up to) to specify an end date. This allows you to select a set of records that occurred between two dates of interest.
This command last requests to retrieve and display the connection records from 00:00 (dawn) on the 26th to 00:00 (dawn) on the 27th. This narrows the list to login sessions that took place on the 26th only.
Time and date formats
You can use times and dates with the -s and -t options.
The different time formats that can be used with the latest options using dates and times are (allegedly):
YYYY-MM-DD hh: mm: ss
YYYY-MM-DD hh: mm – seconds are set to 00
YYYY-MM-DD – time is set to 00:00:00
hh: mm: ss – the date is set today
hh: mm – the date will be fixed today, the second to 00
yesterday – the time is set to 00:00:00
Today – time is 00:00:00
tomorrow – the time is set to 00:00:00
The second and third formats in the list did not work while searching for this article. These commands have been tested on the Ubuntu, Fedora and Manjaro distributions. These are derivatives of the Debian, RedHat and Arch distributions, respectively. This covers all major families of the Linux distribution.
last -R -s 2019-05-26 11:00 -t 2019-05-27 13:00
As you can see, the command did not return any records.
Using the first date and time format of the list with the same date and time as the previous command returns records:
last -R -s 20190526110000 -t 20190527130000
Search by relative units
You also specify periods measured in minutes or days, relative to the current date and time. Here we ask for records from two days to one day.
last -R -s -2 days -t -1 days
Yesterday, today and now
You can use yesterday and tomorrow in abbreviated form for yesterday and today.
last -R -s yesterday -t today
Not that it will not include any registration for today. This is the expected behavior. The command requests records from the start date to the end date. It does not include the recordings of the end date.
The option now is abbreviated for "today at the present time". To see the login events that have occurred since 00:00 (dawn) until you run the command, use this command:
last -R -s today -t now
This will show all connection events so far, including those that are still connected.
The current option
The -p (present) option lets you know who has been connected at a given time.
No matter when you log in or out, but if they were connected to the computer at the time you specify, they will be included in the list.
If you specify a time without a date the last one assumes you mean "today".
last -R -p 09:30
People who are always connected (obviously) do not have a disconnect time; they are described as always connected. If the computer has not been restarted since the specified time, it will be listed as still running.
If you use the shortcut now with the -p (present) option, you can find out who is logged in when you run the command.
last -R -p now
It's a long way to realize what can be accomplished using the command that.
The last order
The last order deserves to be mentioned. It reads data from a log called btmp. There is a little more consensus on this newspaper name. The "b" means bad, but the "tmp" part is still under debate.
lastb lists unsuccessful login attempts (failed). It accepts the same options as the last one. Since login attempts have failed, they will all have a duration of 00:00.
You must use sudo with lastb.
sudo lastb -R
The last word on the subject
Know who has logged on to your Linux computer, when and where it is needed. By combining this information with the details of unsuccessful login attempts, you are familiar with the early stages of looking for suspicious behavior.