Linux login system information

How to Find User Account Info and Login Details in Linux?

For the sysadmins, it is routine to monitor user details like who are active and who are not, who logged in in last 2 days, which users belong to a given group etc etc. To help these requirements, Linux provides below list of commands which can be used to gather various types of information about the users.

id Command

It gives the id details of users including the group id along with the secondary group IDs and names of a user choosen by the system. But you also ask for a specific user’sdeatils by giving the userid value in the command.

ubuntu@ubuntu:~$ id ubuntu@ubuntu:~$ id 2112

Running the above code gives us the following result:

uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) uid=2112(uname1) gid=3421(uname1) groups=3421(uname1)

groups

It displays the group names the currently logged in user belongs to.

Running the above code gives us the following result −

ubuntu adm cdrom sudo dip plugdev lpadmin sambashare

getnet

This command looks into passed file and gets the user details form there.

ubuntu@ubuntu:~$ getent passwd

Running the above code gives us the following result −

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin …… ………

lslogins

The lslogins command displays details of the known users of the system.

Running the above code gives us the following result −

UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS 0 root 135 root 1000 ubuntu 70 23:04:25 ubuntu16LTS. 2112 uname1 0 storefront 9002 uname4 0 HR

w

It displays the current users logged in to the system and the processes they are running.

Running the above code gives us the following result −

08:13:17 up 12:26, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT ubuntu tty7 :0 23:04 12:58m 1:23 0.34s /sbin/upstart –user

Источник

How to Check Linux Login History

You may want to know who logged on your system and from where. You should also see bad login attempts on your system. Learn how to see login history in Linux.

If you have a Linux server, there is a possibility that you have several users accessing the system. You may want to know who is logged on your system, when a particular user logged to the Linux system. You may also want to know from which IP address your system was accessed.

Even if you don’t have multiple users, someone probably have tried to access your Linux server. Trust me, this may sound weird but it’s a common thing these days for bots to try and access your Linux servers. Don’t believe me? Just check the bad login attempts on your server to see if someone tried to login to your system.

Let me show you how to view the Linux login history so that you are aware of who is accessing your system and from where.

Viewing Linux login history

Linux is very good at keeping logs of everything that goes on your system. Quite naturally, it also stores logs about login and login attempts. The login information is stored in three places:

• /var/log/wtmp – Logs of last login sessions
• /var/run/utmp – Logs of the current login sessions
• /var/log/btmp – Logs of the bad login attempts

Let’s see these things in a bit detail.

1. View history of all logged users

To view the history of all the successful login on your system, simply use the command last.

The output should look like this. As you can see, it lists the user, the IP address from where the user accessed the system, date and time frame of the login. pts/0 means the server was accessed via SSH.

abhi pts/0 202.91.87.115 Wed Mar 13 13:31 still logged in root pts/0 202.91.87.115 Wed Mar 13 13:30 - 13:31 (00:00) servesha pts/0 125.20.97.117 Tue Mar 12 12:07 - 14:25 (02:17) servesha pts/0 209.20.189.152 Tue Mar 5 12:32 - 12:38 (00:06) root pts/0 202.91.87.114 Mon Mar 4 13:35 - 13:47 (00:11) wtmp begins Mon Mar 4 13:35:54 2019

The last line of the output tells you the when was the wtmp log file was created. This is important because if the wtmp file was deleted recently, last command won’t be able to show history of the logins prior to that date.

You may have a huge history of login sessions so it’s better to pipe the output through less command.

2. View login history of a certain user

If you just want to see the login history of a particular user, you can specify the user name with last command.

You’ll see the login information of only the selected user:

last servesha servesha pts/0 125.20.97.117 Tue Mar 12 12:07 - 14:25 (02:17) servesha pts/0 209.20.189.152 Tue Mar 5 12:32 - 12:38 (00:06) wtmp begins Mon Mar 4 13:35:54 2019

3. Display IP addresses in login history instead of hostname

You couldn’t see it in the previous output but by default, last command shows the hostname instead of the IP address of the user. If you are on a sub-network, you’ll probably see only the hostnames.

You can force to display the IP addresses of the previously logged users with the -i option.

4. Display only last N logins

If your system has a good uptime, perhaps your login history would be huge. As I mentioned earlier, you can use the less command or other file viewing commands like head or tail.

Last command gives you the option to display only certain number of login history.

Just replace N with the number you want. You can also combine it with the username.

5. View all the bad login attempts on your Linux server

Now comes the important part: checking the bad login attempts on your server.

You can do that in two ways. You can either use the last command with the btmp log file:

or you can use the lastb command:

Both of these commands will yield the same result. The lastb is actually a link to the last command with the specified file.

root ssh:notty 218.92.0.158 Wed Mar 13 14:34 - 14:34 (00:00) sindesi ssh:notty 59.164.69.10 Wed Mar 13 14:34 - 14:34 (00:00) root ssh:notty 218.92.0.158 Wed Mar 13 14:34 - 14:34 (00:00) sindesi ssh:notty 59.164.69.10 Wed Mar 13 14:34 - 14:34 (00:00) root ssh:notty 218.92.0.158 Wed Mar 13 14:34 - 14:34 (00:00)

Bad logins could be an incorrect password entered by a legitimate user. It could also be a bot trying to brute force your password.

You have to analyze here and see if you recognize the IPs in the log. If there has been too many login attempts from a certain IP with user root, probably someone is trying to attack your system by bruteforcing.

You should deploy Fail2Ban to protect your server in such cases. Fail2Ban will ban such IPs from your server and thus giving your server an extra layer of protection.

I hope this tutorial teach you to view login history in Linux and now you can use this knowledge to better manage and protect your Linux system.

If you liked this article, please share it on social media and subscribe to our newsletter for more Linux related tutorials.

Источник

Enable Ubuntu System Information After SSH Login

We talked about MOTD in the previous article (it is quite important to open the link and read it, we will not repeat the same information in this article). The Banner Message Shown before is different and that also discussed.
The Banner Message Which Shows Memory usage & Other Useful Info By Default Can Be Disabled. Enable Ubuntu System Information After SSH Login. Here is How to Enable Ubuntu System Information After SSH Login. If you have this message after successful SSH :

and want to change to this :

this guide will serve that purpose.

Enable Ubuntu System Information After SSH Login : Packages are Not Installed

Web Hosts compile the distributions according to their need. Usually some packages are not installed to keep the Operating System lighter. If you run this command :

and that throws the error that packages are not installed, you have to installed them. If the command returns a right System Information, then also read ahead. The official manual pages are here :

In case, you the landscape-sysinfo command returned a right System Information but nothing coming after login, check these two files by running cat on them :

In case, the landscape-sysinfo command returned the error that packages are not installed, then you need to run 2 commands or rather two packages. We suggest to run the commands one by one :

It will take around 10 minutes for the scripts to be in properly informative condition. Reboot the server.

Enable Ubuntu System Information After SSH Login : Modification and Other Stuffs

The MOTD is generated from scripts and stuffs from these four places:

1. Scripts in /etc/update-motd.d/
2. Compiled binaries controlled by /etc/pam.d/login
3. /etc/legal file
4. /etc/ssh/sshd_configl file

In the /etc/ssh/sshd_config file, PrintLastLog controls the “Last login: …” message, it is quite complicated, not exactly setting it to No will vanish it. If you run cat on /etc/update-motd.d/50-landscape-sysinfo and /usr/bin/landscape-sysinfo , you will see the coding part. We set for the MOTD using the /etc/landscape/client.conf configuration file:

Источник