Viewing Login History

September 6, 2007 | In Linux | No Comments

Reviewing when accounts logged in is also an important step in observing any suspicious behaviour on your systems. This information is recorded to a binary database logfile called /var/log/wtmp. This file cannot be viewed using a normal text editor as it’s not a plaintext file; it also should not be rotated as other log files because it retains roughly the same size at all times. wtmp takes care of itself and as new data is written to the file, old data is removed.

To view a history of user logins, use the last command, optionally specifying a username to look at specifically (the default is to show information on all accounts):

# last joe

This will show when joe logged in; it will indicate what console or terminal they logged in at, the XFree86 display name if applicable, and the date/time of the login. By looking at this information, you can see if any anomolies appear; ie. accounts being logged in when an individual would normally be sleeping, or access outside of work hours, etc.

To view the last login, some systems provide the lastlog tool (most Linux systems do, OS X does not). lastlog displays pretty much the same information as last, but restricts the output to the absolute latest login. For instance:

# lastlog -u joe

This command will display the last login for the user joe. By default, lastlog displays the last login for all users on the system. Another useful command is lastb which displays the last bad login attempt for users. However, most systems do not enable this by default. The log file used here is /var/log/btmp which probably does not exist on the system. To create the file, execute as root:
Continue reading Viewing Login History…

Sed is your friend

September 4, 2007 | In Linux | No Comments

Searching For Text in A File using sed

sed - stream editor for filtering and transforming text

# write out file with lines that DO NOT match “text to skip here” (emulates grep -v)
sed '/text to skip here/d' lastlogins.txt > last1.txt

# print only lines which match regular expression (emulates “grep”)
sed -n '/regexp/p' # method 1
sed '/regexp/!d' # method 2

Continue reading Sed is your friend…

Powered by WordPress RSS XMLRSS Feed - Syndicate this Site and comments feed
linux GNUpowered by Apache tomcatMySQL ABPHP - The Language the Web Runs on

^Top^ Gare CalhounGare CalhounGare CalhounGare CalhounGare Calhoun