Who has accessed your computer? login info commands
Your computer/server has several user accounts and you want to check who logged in? There are several system commands you can use.
Table of Contents
Check who is currently connected to a terminal.
who displays username (who), terminal name (where), login time (when) and IP address if connected from other computer.
$ who ricardo tty7 2022-04-05 11:40 (:0)
last shows a listing of last logged users (or only one user if specified). There are several available parameters but the most important one is
-s <time>, to display logins since the specified time.
# Display logins from last 24 hours last -s -1day
# Display logins from last hour last -s -1hour
# Display logind from a specific date last -s 2022-04-08
# Last root logins last -s -1day root
-t <time>: logins until the specified time.
-n <maxlines>: display no more than
# from 2022-04-07 00:00 to 2022-04-08 00:00 last -s 2022-04-07 -t 2022-04-08
# last -s -1hour root pts/1 XX.XXX.XX.XXX Fri Apr 8 15:56 still logged in root pts/1 XX.XXX.XX.XXX Fri Apr 8 15:34 - 15:36 (00:01)
lastb is like
last but it shows bad login attempts. Available parameters are the same.
# Bad root logins lastb root
Reports the most recent login of all users (or one user if use
-u <username>). A useful parameter is
-t <days> to show records more recent than
# lastlog -t 1 Username Port From Latest root pts/1 XX.XXX.XX.XX Fri Apr 8 15:56:29 +0000 2022 rs1vps pts/1 XXX.XX.XX.XXX Fri Apr 8 15:07:02 +0000 2022
Extra: remove last login data
/var/log/wtmp (make backups before if you want).
truncate -s 0 /var/log/lastlog truncate -s 0 /var/log/wtmp
/var/log/btmp logs only bad login attempts, so you may want to keep this file.