"last/lastb" - Review Login History

This section provides a quick introduction of the 'last' and 'lastb' commands, which allows you to review login history and login attempts.

What Is "last" Command? "last" is a command to review login history on a Linux system. It lists all logins recorded in the /var/log/wtmp file in reverse time order. Here are some usage examples of the "last" command:

1. List all logins:

herong$ last

herong   pts/2        192.168.1.2      Tue Dec 19 21:38   still logged in
herong   pts/2        192.168.1.2      Wed Dec 18 19:30 - 01:04  (05:33)
root     pts/1        192.168.1.3      Tue Dec 17 22:32   still logged in
root     pts/1        192.168.1.4      Tue Dec  5 22:27 - 22:28  (10:01)
...
runlevel (to lvl 3)   6.13...          Mon Dec 11 13:42   still running
reboot   system boot  6.13...          Mon Dec 11 13:41   still running
shutdown system down  6.13...          Mon Dec 11 13:40 - 13:41  (00:00)
......
root     :1           :1               Mon Oct 16 01:42 - down  (39+07:01)
reboot   system boot  3.28...          Mon Oct 16 01:40 - 07:44 (39+07:03)
...

2. List all logins of a given user:

herong$ last root

root     pts/1        192.168.1.3      Tue Dec 17 22:32   still logged in
root     pts/1        192.168.1.4      Tue Dec  5 22:27 - 22:28  (10:01)
...
root     :1           :1               Sun Nov 26 22:17   still logged in
...

3. List last 3 logins:

herong$ last -n 3

herong   pts/2        192.168.1.2      Tue Dec 19 21:38   still logged in
herong   pts/2        192.168.1.2      Wed Dec 18 19:30 - 01:04  (05:33)
root     pts/1        192.168.1.3      Tue Dec 17 22:32   still logged in

4. List logins in a given time period:

herong$ last -s '2023-12-17 00:00:00' -t '2023-12-19 00:00:00'

herong   pts/2        192.168.1.2      Wed Dec 18 19:30 - 01:04  (05:33)
root     pts/1        192.168.1.3      Tue Dec 17 22:32   still logged in

5. Filter logins from a given IP address:

herong$ last | grep '192.168.1.2'

herong   pts/2        192.168.1.2      Tue Dec 19 21:38   still logged in
herong   pts/2        192.168.1.2      Wed Dec 18 19:30 - 01:04  (05:33)
...

What Is "lastb" Command? "lastb" is a command to review failed login history on a Linux system. It lists all logins recorded in the /var/log/btmp file in reverse time order. This command requires root privilege. Here are some usage examples of the "lastb" command:

1. List last 100 failed logins:

herong$ sudo lastb -100

herong   ssh:notty    192.168.1.2      Tue Dec 19 21:38 - 21:38  (00:00)
root     ssh:notty    192.168.1.3      Tue Dec  5 22:30 - 22:30  (00:00)
root     ssh:notty    192.168.1.3      Tue Dec  5 22:30 - 22:30  (00:00)
...

2. List last 100 failed logins with "sudo last -f /var/log/btmp":

herong$ sudo last -100 -f /var/log/btmp

herong   ssh:notty    192.168.1.2      Tue Dec 19 21:38 - 21:38  (00:00)
root     ssh:notty    192.168.1.3      Tue Dec  5 22:30 - 22:30  (00:00)
root     ssh:notty    192.168.1.3      Tue Dec  5 22:30 - 22:30  (00:00)
...

Some notes on the "last" command output:

Table of Contents

 About This Book

 Introduction to Linux Systems

 Cockpit - Web Portal for Administrator

 Process Management

 Memory Management

 Files and Directories

 Users and Groups

 File Systems

 Block Devices and Partitions

 LVM (Logical Volume Manager)

 Installing CentOS

 SELinux - Security-Enhanced Linux

 Network Connection on CentOS

 Internet Networking Tools

 SSH Protocol and ssh/scp Commands

 Software Package Manager on CentOS - DNF and YUM

 vsftpd - Very Secure FTP Daemon

 LDAP (Lightweight Directory Access Protocol)

Administrative Tasks

 "systemctl status/start/stop/enable/disable" Commands

 "shutdown" and "halt/poweroff/reboot" Commands

 Move /home Directory to New Partition

 Move All Users to a New System

"last/lastb" - Review Login History

 References

 Full Version in PDF/EPUB