Linux users login log

Linux: how to get all login logs from my system [closed]

I want to know all the times a user logs since last year into my system?
I used last command but it is not useful.

welcome to Stack Exchange! please remember that we’re all volunteers here. as such, we expect that you’ve done some basic research. it looks like you have a start — since you mention trying the last command — but you should be doing more research than that, and in any case, you haven’t actually specified why the last command isn’t useful. also, define «logged in». do you want to track console logins? SSH logins? Emacs forbid, telnet logins? or just anything authenticating with PAM? be specific.

2 Answers 2

The login logs on redhat-style linux are called wtmp ( man wtmp ), stored in /var/log/ by default, and you can retrieve them using utmpdump (on RHEL6).

[root@server ~]# utmpdump /var/log/wtmp* | awk '$4~"root" ' Utmp dump of /var/log/wtmp [7] [01320] [ts/0] [root ] [pts/0 ] [192.168.1.101 ] [192.168.1.101 ] [Tue Sep 24 00:31:47 2013 UTC] [7] [01817] [ts/3] [root ] [pts/3 ] [192.168.1.101 ] [192.168.1.101 ] [Tue Sep 24 00:38:22 2013 UTC] [7] [01690] [ts/0] [root ] [pts/0 ] [192.168.1.101 ] [192.168.1.101 ] [Tue Sep 24 00:59:04 2013 UTC] [7] [23641] [ts/0] [root ] [pts/0 ] [192.168.1.101 ] [192.168.1.101 ] [Wed Sep 25 19:12:44 2013 UTC] [7] [03020] [ts/0] [root ] [pts/0 ] [192.168.1.100 ] [192.168.1.100 ] [Fri Sep 27 21:33:40 2013 UTC] . 

It seems last can be used to achieve what you are trying to do. You need to append the date to the last command to extract the information.

last | while read line; do date=`date -d "$(echo $line | awk '< print $5" "$6" "$7 >')" +%s`; [[ $date -ge `date -d "Aug 25 00:00" +%s` && $date -le `date -d "Aug 28 00:00" +%s` ]] && echo $line; done 

However, if you are concerned with finding information about a particular user, you can modify the last command as last username and then pipe the while loop to it. It would give you the information of a particular user’s login information for the last one year.

I tested the above command and it works perfectly fine in my system. I took the above command from here.

You can change the date in the command to suit your requirements.

Источник

How To Monitor System Authentication Logs on Ubuntu

A fundamental component of authentication management is monitoring the system after you have configured your users.

We will be exploring these concepts on a Ubuntu 22.04 server, but you can follow along on any modern Linux distribution. You can set up a Ubuntu 22.04 server for this tutorial by following our guide to Initial Server Setup on Ubuntu 22.04.

Review Authentication Attempts

Modern Linux systems log all authentication attempts in a discrete file. This is located at /var/log/auth.log . You can view this file using less :

Output
May 3 18:20:45 localhost sshd[585]: Server listening on 0.0.0.0 port 22. May 3 18:20:45 localhost sshd[585]: Server listening on :: port 22. May 3 18:23:56 localhost login[673]: pam_unix(login:session): session opened fo r user root by LOGIN(uid=0) May 3 18:23:56 localhost login[714]: ROOT LOGIN on '/dev/tty1' Sep 5 13:49:07 localhost sshd[358]: Received signal 15; terminating. Sep 5 13:49:07 localhost sshd[565]: Server listening on 0.0.0.0 port 22. Sep 5 13:49:07 localhost sshd[565]: Server listening on :: port 22. . . . 

When you are finished viewing the file, you can use q to quit less .

How To Use the “last” Command

Usually, you will only be interested in the most recent login attempts. You can see these with the last tool:

Output
demoer pts/1 rrcs-72-43-115-1 Thu Sep 5 19:37 still logged in root pts/1 rrcs-72-43-115-1 Thu Sep 5 19:37 - 19:37 (00:00) root pts/0 rrcs-72-43-115-1 Thu Sep 5 19:15 still logged in root pts/0 rrcs-72-43-115-1 Thu Sep 5 18:35 - 18:44 (00:08) root pts/0 rrcs-72-43-115-1 Thu Sep 5 18:20 - 18:20 (00:00) demoer pts/0 rrcs-72-43-115-1 Thu Sep 5 18:19 - 18:19 (00:00) 

This provides a formatted version of information saved in another file, /etc/log/wtmp .

Judging from the first and the third line, users are currently logged into the system. The total time spent logged into the system during other, already closed sessions is provided by a set of hyphen-separated values.

How To Use the “lastlog” Command

You can also view the last time each user on the system logged in using the lastlog command.

This information is provided by accessing the /etc/log/lastlog file. It is then sorted according to the entries in the /etc/passwd file:

Output
Username Port From Latest root pts/1 rrcs-72-43-115-1 Thu Sep 5 19:37:02 +0000 2013 daemon **Never logged in** bin **Never logged in** sys **Never logged in** sync **Never logged in** games **Never logged in** . . . 

You can see the latest login time of every user on the system.

Notice how the system users will almost all have **Never logged in** . Many of these system accounts will not be used to log in directly, so this is normal.

Conclusion

User authentication on Linux is a relatively flexible area of system management. There are many ways of accomplishing the same objective with widely available tools.

It is important to understand where the system keeps information about logins so that you can monitor your server for changes that do not reflect your usage.

Next, you may want to learn how to add and delete system users.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Источник

How to view authentication logs on Ubuntu 20.04

Authentication logs form a vital part of server security. If you suspect a breach, they can provide a full list of every remote login attempt on your server, alongside the account, date, and timestamp.

BitLaunch

BitLaunch

Authentication logs form a vital part of server security. If you suspect a breach, they can provide a full list of every remote login attempt on your server, alongside the account, date, and timestamp. They also list each prompt that asks for a user password, such as the sudo command, and whether or not the authentication was successful.

How to check system logins

The majority of Linux systems keep these logs at /var/log/auth.log or /var/log/secure . For Ubuntu, it’s the former. We can view these with nano or vim like we would any other text file, but the following command will give us faster load times and let us easily view the file page-by-page:

OUTPUT: Jan 8 15:07:22 5ff8750c7437d20001bb84c5 passwd[395]: password for 'root' changed by 'root' Jan 8 15:07:42 5ff8750c7437d20001bb84c5 sshd[546]: Received signal 15; terminating. Jan 8 15:07:42 5ff8750c7437d20001bb84c5 sshd[1321]: Server listening on 0.0.0.0 port 22. Jan 8 15:07:42 5ff8750c7437d20001bb84c5 sshd[1321]: Server listening on :: port 22. Jan 8 15:08:01 5ff8750c7437d20001bb84c5 sshd[1321]: Received signal 15; terminating. Jan 8 15:08:01 5ff8750c7437d20001bb84c5 sshd[1727]: Server listening on 0.0.0.0 port 22. Jan 8 15:08:01 5ff8750c7437d20001bb84c5 sshd[1727]: Server listening on :: port 22. Jan 8 15:09:41 5ff8750c7437d20001bb84c5 sshd[1738]: error: kex_exchange_identification: read: Connection reset by peer Jan 8 15:09:46 5ff8750c7437d20001bb84c5 sshd[1739]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.161.63.100 user=root Jan 8 15:09:49 5ff8750c7437d20001bb84c5 sshd[1739]: Failed password for root from 81.161.63.100 port 54150 ssh2 Jan 8 15:14:36 5ff8750c7437d20001bb84c5 sshd[1896]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71.221.154.110 user=root Jan 8 15:14:37 5ff8750c7437d20001bb84c5 sudo: root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/less /var/log/auth.log Jan 8 15:14:37 5ff8750c7437d20001bb84c5 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0) (END) 

Above is a cut-down example from a server that was just created. You can see that it also lists the initial password change when the server was programmatically created.

Once you’re ready, press q to quit the document.

View the most recent logins

If you just want to check the most recent logins, it’s even simpler. Back in the command-line, type last and press Enter.

The output will look something like this:

root pts/0 12.34.567.89 Fri Jan 8 15:30 still logged in root pts/0 12.34.567.89 Fri Jan 8 15:13 - 15:29 (00:16) reboot system boot 5.4.0-1009-kvm Fri Jan 8 15:07 still running 

The last tool pulls its data from /var/log/wtmp , which is written to each time a user logs in. It’ll show username, tty, IP address, date and time, and session start/stop times.

If that’s too verbose, you can apply filters to the command with the following syntax:

Let’s look at an example. If we wanted to view all of the logins from the root user, we could run:

OUTPUT: root pts/0 12.345.678.90 Fri Jan 8 15:30 still logged in root pts/0 12.345.678.90 Fri Jan 8 15:13 - 15:29 (00:16)

Or, if we want to restrict it to a specific user and TTY:

See when users last logged in

If you notice an unauthorized change to the system, it’s often useful to see when each user last logged in. This way, you can determine who made the adjustment. We can do this via the lastlog command, which pulls data from /etc/log/lastlog and sorts them by /etc/password entries:

Username Port From Latest root pts/0 12.345.678.90 Fri Jan 8 15:30:06 +0000 2021 daemon **Never logged in** bin **Never logged in** sys **Never logged in** sync **Never logged in** bitlaunch pts/1 83.253.230.46 Fri Jan 8 16:09:53 +0000 2021 hack0r pts/1 83.253.230.46 Fri Jan 8 16:10:20 +0000 2021 

You’ll notice quite a few users with a **Never logged in** entry in the Latest column. This is normal on account of them being system users.

But what if you just found out about a historical incursion or are looking for more specific information? lastlog has several options that can be of use.

Option	Description
-u, —user [LOGIN]	Print logs for a specific user with a specified login
-b, —before [DAYS]	Print records older than a specified number of days
-t, —time [DAYS]	Print records that are more recent than a specified number of days

This is particularly useful if we want to get the last time a specific user logged in:

OUTPUT: root pts/0 12.345.678.90 Fri Jan 8 15:30:06 +0000 2021

What to look for in authentication logs

Now you know how to view authentication logs, it’s important to develop a pro-active mindset. Don’t just run these commands if you notice something strange – make it a habit to check regularly.

When you do so, look out out for the following:

• Users who are requesting sudo privileges to perform tasks that are outside their scope of work
  • Is one user attempting to access or modify the content of another? Was a password changed unexpectedly?
  • Attackers often create a new account so that they can perform actions without as much oversight

  Of course, there’s one issue with all this. If an attacker gains access to your root account, they will be able to modify or delete your authentication log. An absence of authentication logs can be very telling, but it also doesn’t leave you with much information about the incursion.

  As a result, it’s vital that you keep your root account secure and make regular backups of your log files and full server. Though they can help in the case of a breach, authentication logs are far from a replacement for basic security.

  

  How to fix the ssh permission denied (publickey) error

  The SSH permission denied (publickey) error is a frustrating one. Here’s how to fix it in a few simple steps.

  How to install and use PostgreSQL on Ubuntu 20.04

  In today’s guide we’re going to focus on how to install PostgreSQL on Ubuntu 20.04 as quickly as possible. For those unfamiliar, PostgreSQL, or Postgres, is a free, open-source database management system with high extensibility and compliance.

  Источник