Linux Tutorials - Herong's Tutorial Examples - v5.45, by Herong Yang
"last/lastb" - Review Login History
This section provides a quick introduction of the 'last' and 'lastb' commands, which allows you to review login history and login attempts.
What Is "last" Command? "last" is a command to review login history on a Linux system. It lists all logins recorded in the /var/log/wtmp file in reverse time order. Here are some usage examples of the "last" command:
1. List all logins:
herong$ last herong pts/2 192.168.1.2 Tue Dec 19 21:38 still logged in herong pts/2 192.168.1.2 Wed Dec 18 19:30 - 01:04 (05:33) root pts/1 192.168.1.3 Tue Dec 17 22:32 still logged in root pts/1 192.168.1.4 Tue Dec 5 22:27 - 22:28 (10:01) ... runlevel (to lvl 3) 6.13... Mon Dec 11 13:42 still running reboot system boot 6.13... Mon Dec 11 13:41 still running shutdown system down 6.13... Mon Dec 11 13:40 - 13:41 (00:00) ...... root :1 :1 Mon Oct 16 01:42 - down (39+07:01) reboot system boot 3.28... Mon Oct 16 01:40 - 07:44 (39+07:03) ...
2. List all logins of a given user:
herong$ last root root pts/1 192.168.1.3 Tue Dec 17 22:32 still logged in root pts/1 192.168.1.4 Tue Dec 5 22:27 - 22:28 (10:01) ... root :1 :1 Sun Nov 26 22:17 still logged in ...
3. List last 3 logins:
herong$ last -n 3 herong pts/2 192.168.1.2 Tue Dec 19 21:38 still logged in herong pts/2 192.168.1.2 Wed Dec 18 19:30 - 01:04 (05:33) root pts/1 192.168.1.3 Tue Dec 17 22:32 still logged in
4. List logins in a given time period:
herong$ last -s '2023-12-17 00:00:00' -t '2023-12-19 00:00:00' herong pts/2 192.168.1.2 Wed Dec 18 19:30 - 01:04 (05:33) root pts/1 192.168.1.3 Tue Dec 17 22:32 still logged in
5. Filter logins from a given IP address:
herong$ last | grep '192.168.1.2' herong pts/2 192.168.1.2 Tue Dec 19 21:38 still logged in herong pts/2 192.168.1.2 Wed Dec 18 19:30 - 01:04 (05:33) ...
What Is "lastb" Command? "lastb" is a command to review failed login history on a Linux system. It lists all logins recorded in the /var/log/btmp file in reverse time order. This command requires root privilege. Here are some usage examples of the "lastb" command:
1. List last 100 failed logins:
herong$ sudo lastb -100 herong ssh:notty 192.168.1.2 Tue Dec 19 21:38 - 21:38 (00:00) root ssh:notty 192.168.1.3 Tue Dec 5 22:30 - 22:30 (00:00) root ssh:notty 192.168.1.3 Tue Dec 5 22:30 - 22:30 (00:00) ...
2. List last 100 failed logins with "sudo last -f /var/log/btmp":
herong$ sudo last -100 -f /var/log/btmp herong ssh:notty 192.168.1.2 Tue Dec 19 21:38 - 21:38 (00:00) root ssh:notty 192.168.1.3 Tue Dec 5 22:30 - 22:30 (00:00) root ssh:notty 192.168.1.3 Tue Dec 5 22:30 - 22:30 (00:00) ...
Some notes on the "last" command output:
Table of Contents
Cockpit - Web Portal for Administrator
SELinux - Security-Enhanced Linux
SSH Protocol and ssh/scp Commands
Software Package Manager on CentOS - DNF and YUM
vsftpd - Very Secure FTP Daemon
LDAP (Lightweight Directory Access Protocol)
"systemctl status/start/stop/enable/disable" Commands
"shutdown" and "halt/poweroff/reboot" Commands
Move /home Directory to New Partition
Move All Users to a New System