1. Introduction

When administering a Linux system, we must monitor all login attempts to keep the system secure. To do this, we need to inspect all successful and unsuccessful login attempts.

Linux systems can be accessed through various channels, such as local login, remote login, SSH, FTP, and more.

In this tutorial, we’ll explore different Linux commands that we can use to monitor all login attempts. This helps us detect suspicious login attempts and prevent unauthorized access.

2. Using the last Command

The Linux last command lists all users that have previously logged into the system. The last command is handy for system administrators who need to track user activity on a server or local machines.

It can display various information, including the date and time of access, the duration of the session, and the device or terminal used to access the system.

By default, the last command uses the system log file /var/log/wtmp as the data source to generate reports. wtmp is a binary file on Unix-based operating systems. It keeps a record of all login and logout activity.

The last command ships with most Linux distros. However, we can install it from the local package manager in case it’s not available:

$ sudo apt -y install util-linux

On Arch Linux, we can use this command:

$ sudo pacman -S util-linux

On CentOS/Alma/Oracle/RHEL, we can use this command:

$ sudo dnf install util-linux

The last command has this basic syntax:

$ last [options] [username]

Let’s run the last command:

$ last
redward  :0           :0               Tue Apr 18 09:48   still logged in
reboot   system boot  5.15.0-67-generi Tue Apr 18 09:47   still running
redward  :0           :0               Thu Apr 13 10:51 - crash (4+22:56)
reboot   system boot  5.15.0-67-generi Thu Apr 13 10:47   still running
redward  :0           :0               Mon Apr 10 21:59 - crash (2+12:48)
reboot   system boot  5.15.0-67-generi Mon Apr 10 21:58   still running
redward  :0           :0               Wed Apr  5 22:33 - down  (4+23:24)
.... truncated ....

Running the last command without passing any options or specifying a username prints all users that have previously logged in.

The first column shows the username of the logged-in user, and the second column shows how the user is accessing the system, for example, via teletype (TTY) or pseudo-terminal. However, it shows “system boot” if it’s a restart task.

The third column shows us where the user logged in from. We should expect to see a hostname or an IP address if the login was from a remote computer, an empty value if it was via teletype, or the kernel version if it’s a reboot task.

Finally, the fourth column shows when the login activity happened, and the fifth column shows the logout time. The last column shows how long the user has been connected in the format “Hours: Minutes“.

3. Using the lastlog Command

The lastlog command formats and displays the last login information of all users in the /var/log/lastlog file. It prints out the username, port, and the last login time.

It ships with most Linux distros by default, but in case it’s unavailable, we can get it from the local package manager.

On Debian/Ubuntu:

$ sudo apt-get install login

On Arch-Linux, we can use the following:

$ sudo pacman -S shadow

By default, the lastlog command prints all entries sorted in their order in the /etc/passwd file:

$ lastlog
Username         Port     From             Latest
root                                       **Never logged in**
daemon                                     **Never logged in**
bin                                        **Never logged in**
gnome-initial-setup                           **Never logged in**
gdm                                        **Never logged in**
sssd                                       **Never logged in**
redward          tty4                      Kam Bit  9 17:29:37 +0300 2023
systemd-coredump                           **Never logged in**

We can also display the last login information for a specific user:

$ lastlog -u redward
Username         Port     From             Latest
redward          tty4                      Kam Bit  9 17:29:37 +0300 2023

We’re using the -u option to specify a user.

We can also use it to display lastlog records older than a specific number of days:

$ lastlog -b 20
Username         Port     From             Latest
root                                       **Never logged in**
daemon                                     **Never logged in**
bin                                        **Never logged in**
sys                                        **Never logged in**
.... truncated ....

We’re passing the -b option to print records older than 20 days.

4. Using the grep Command

The grep command searches one or more input files for lines matching a specific pattern.

The grep command has many variants and is available by default in most Linux distros. Here, we’ll focus on using GNU grep to search for specific patterns in the files containing the login activity logs.

Let’s list all the failed SSH logins using grep:

$ sudo grep "Failed password" /var/log/auth.log
Feb 14 15:08:39 localhost sshd[621893]: Failed password for john from 192.168.0.7 port 8132 ssh2
Mar 17 15:09:13 localhost sshd[621893]: Failed password for john from 192.168.0.7 port 8132 ssh2
.... truncated ....

Here, the grep command matched all lines containing the pattern “Failed password” from the /var/log/auth.log file.

However, on CentOS/RHEL systems, the login sessions are recorded in the /var/log/secure file:

$ sudo grep "Failed password" /var/log/secure
Feb 14 16:47:10 localhost sshd[621893]: Failed password for john from 192.168.0.7 port 8132 ssh2
Mar 17 16:19:45 localhost sshd[621893]: Failed password for john from 192.168.0.7 port 8132 ssh2
.... truncated .....

To view extra information, we can use this command:

$ egrep "Failed|Failure" /var/log/auth.log
Apr 18 09:50:10 localhost dbus-daemon[2453]: [session uid=1000 pid=2453] Failed to activate service 'org.freedesktop.FileManager1': timed out (service_start_timeout=120000ms)
Apr 18 09:50:12 localhost dbus-daemon[2453]: [session uid=1000 pid=2453] Failed to activate service 'org.gnome.Nautilus': timed out (service_start_timeout=120000ms)

The grep command helps us organize the information contained in the /var/log/auth.log file.

Let’s use the cat command to list all the entries within the file:

$ cat /var/log/auth.log
Apr 16 09:12:20 redward-HP-ProBook-440-G7 PackageKit: uid 1000 is trying to obtain org.freedesktop.packagekit.system-sources-refresh auth (only_trusted:0)
Apr 16 09:12:20 redward-HP-ProBook-440-G7 PackageKit: uid 1000 obtained auth for org.freedesktop.packagekit.system-sources-refresh
Apr 16 09:13:16 redward-HP-ProBook-440-G7 PackageKit: uid 1000 is trying to obtain org.freedesktop.packagekit.system-sources-refresh auth (only_trusted:0)
Apr 16 09:13:16 redward-HP-ProBook-440-G7 PackageKit: uid 1000 obtained auth for org.freedesktop.packagekit.system-sources-refresh
Apr 16 09:15:08 redward-HP-ProBook-440-G7 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=1000)
Apr 16 09:15:08 redward-HP-ProBook-440-G7 pkexec[557097]: redward: Executing command [USER=root] [TTY=unknown] [CWD=/home/redward] [COMMAND=/usr/lib/update-notifier/package-system-locked]
Apr 16 09:17:01 redward-HP-ProBook-440-G7 CRON[557644]: pam_unix(cron:session): session opened for user root by (uid=0)

Through this file, we can use grep to filter and print any session event relevant to our needs.

5. Conclusion

In this article, we’ve looked at different methods to monitor all login attempts on Linux. The last command is a powerful tool that lists all login activity. Furthermore, it shows the date and time of access, the duration of the session, and the device or terminal used.

The lastllog command also lists all login activity, and, by default, it prints out the username, port, and the last login time. We can also use the grep command to match and print specific patterns from the /var/log/auth.log file. In  CentOS/RHEL systems, we should use the /var/log/secure file. This file stores a log of all login activity in the system.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.