Your computer/server has several user accounts and you want to check who logged in? There are several system commands you can use.

Table of Contents

who

Check who is currently connected to a terminal. who displays username (who), terminal name (where), login time (when) and IP address if connected from other computer.

$ who
ricardo  tty7         2022-04-05 11:40 (:0)

last

last shows a listing of last logged users (or only one user if specified). There are several available parameters but the most important one is -s <time>, to display logins since the specified time.

# Display logins from last 24 hours
last -s -1day
# Display logins from last hour
last -s -1hour
# Display logind from a specific date
last -s 2022-04-08
# Last root logins
last -s -1day root

More parameters:

  • -t <time>: logins until the specified time.
  • -n <maxlines>: display no more than <maxlines> lines.
# from 2022-04-07 00:00 to 2022-04-08 00:00
last -s 2022-04-07 -t 2022-04-08
# last -s -1hour
root     pts/1        XX.XXX.XX.XXX    Fri Apr  8 15:56   still logged in
root     pts/1        XX.XXX.XX.XXX    Fri Apr  8 15:34 - 15:36  (00:01)

lastb

lastb is like last but it shows bad login attempts. Available parameters are the same. Root permissions needed.

# Bad root logins
lastb root

lastlog

Reports the most recent login of all users (or one user if use -u <username>). A useful parameter is -t <days> to show records more recent than <days>.

# lastlog -t 1
Username         Port     From             Latest
root             pts/1    XX.XXX.XX.XX    Fri Apr  8 15:56:29 +0000 2022
rs1vps           pts/1    XXX.XX.XX.XXX   Fri Apr  8 15:07:02 +0000 2022

Extra: remove last login data

Empty /var/log/lastlog and /var/log/wtmp (make backups before if you want).

truncate -s 0 /var/log/lastlog
truncate -s 0 /var/log/wtmp

/var/log/btmp logs only bad login attempts, so you may want to keep this file.

If you have any suggestion, feel free to contact me via social media or email.