Who has accessed your computer? login info commands
Your computer/server has several user accounts and you want to check who logged in? There are several system commands you can use.
Table of Contents
who
Check who is currently connected to a terminal. who displays username (who), terminal name (where), login time (when) and IP address if connected from other computer.
$ who
ricardo tty7 2022-04-05 11:40 (:0)
last
last shows a listing of last logged users (or only one user if specified). There are several available parameters but the most important one is -s <time>, to display logins since the specified time.
# Display logins from last 24 hours
last -s -1day
# Display logins from last hour
last -s -1hour
# Display logins from a specific date
last -s 2022-04-08
# Last root logins
last -s -1day root
More parameters:
-t <time>: logins until the specified time.-n <maxlines>: display no more than<maxlines>lines.
# from 2022-04-07 00:00 to 2022-04-08 00:00
last -s 2022-04-07 -t 2022-04-08
# last -s -1hour
root pts/1 XX.XXX.XX.XXX Fri Apr 8 15:56 still logged in
root pts/1 XX.XXX.XX.XXX Fri Apr 8 15:34 - 15:36 (00:01)
lastb
lastb is like last but it shows bad login attempts. Available parameters are the same. Root permissions needed.
# Bad root logins
lastb root
lastlog
Reports the most recent login of all users (or one user if use -u <username>). A useful parameter is -t <days> to show records more recent than <days>.
# lastlog -t 1
Username Port From Latest
root pts/1 XX.XXX.XX.XX Fri Apr 8 15:56:29 +0000 2022
rs1vps pts/1 XXX.XX.XX.XXX Fri Apr 8 15:07:02 +0000 2022
Extra: remove last login data
Empty /var/log/lastlog and /var/log/wtmp (make backups before if you want).
truncate -s 0 /var/log/lastlog
truncate -s 0 /var/log/wtmp
/var/log/btmp logs only bad login attempts, so you may want to keep this file.
If you have any suggestion, feel free to contact me via social media or email.
Latest tutorials and articles:
Featured content:
