RedHat Root Account History

The best Practice to check login history with most detail is checking secure file under this directory

#cd /var/log/ with the help of command # cat /var/log/secure

#last is another command for the system admin tool box, it displays the login history of all or any specific user.

Yo do not need to be root to use it, let’s see some ways to use it.

#last

The output would be:

ggarron  pts/1        200.87.61.2      Sat Apr 25 11:02   still logged in   
ggarron  pts/0        200.87.61.2      Sat Apr 25 10:41   still logged in   
publico  pts/0        10.1.1.86        Fri Apr 24 16:25 - 16:47  (00:22)    
ggarron  pts/0        200.87.61.2      Sat Apr 18 19:34 - 19:54  (00:20)    
ggarron  pts/0        10.1.1.43        Wed Apr 15 15:27 - 10:30  (19:03)    
root     pts/0        200.87.61.2      Mon Apr 13 22:41 - 01:11  (02:29)    
ggarron  pts/0        200.87.61.2      Sat Apr 11 15:25 - 15:28  (00:02)    
ggarron  pts/0        200.87.61.2      Fri Apr 10 10:40 - 22:33  (11:53)    
publico  pts/0        10.1.1.86        Thu Apr  9 12:02 - 12:02  (00:00)    
publico  pts/0        10.1.1.86        Thu Apr  9 12:01 - 12:01  (00:00)

You can also make the IP or name of the system from where the users logged it, to appear in the last column

#last -a

And the output would be:

ggarron  pts/1        Sat Apr 25 11:02   still logged in    200.87.61.2
ggarron  pts/0        Sat Apr 25 10:41   still logged in    200.87.61.2
publico  pts/0        Fri Apr 24 16:25 - 16:47  (00:22)     10.1.1.86
ggarron  pts/0        Sat Apr 18 19:34 - 19:54  (00:20)     200.87.61.2
ggarron  pts/0        Wed Apr 15 15:27 - 10:30  (19:03)     10.1.1.43
root     pts/0        Mon Apr 13 22:41 - 01:11  (02:29)     200.87.61.2
ggarron  pts/0        Sat Apr 11 15:25 - 15:28  (00:02)     200.87.61.2
ggarron  pts/0        Fri Apr 10 10:40 - 22:33  (11:53)     200.87.61.2
publico  pts/0        Thu Apr  9 12:02 - 12:02  (00:00)     10.1.1.86
publico  pts/0        Thu Apr  9 12:01 - 12:01  (00:00)     10.1.1.86

Or only displa the history for a given user.

#last publico -a

The output this time will be something like this:

publico  pts/0        Fri Apr 24 16:25 - 16:47  (00:22)     10.1.1.86
publico  pts/0        Thu Apr  9 12:02 - 12:02  (00:00)     10.1.1.86
publico  pts/0        Thu Apr  9 12:01 - 12:01  (00:00)     10.1.1.86

To print the tty based login history

# last pts/1
root     pts/1        219.91.219.14    Wed Nov  6 09:17   still logged in
mageshm  pts/1        219.91.219.14    Wed Nov  6 05:28 - 07:41  (02:12)
mageshm  pts/1        103.249.80.122   Wed Oct 23 07:33 - 14:44  (07:11)

To print the bad login attempts

# lastb
2daygeek ssh:notty    109.123.89.67    Mon Oct 28 10:07 - 10:07  (00:00)
mageshm  ssh:notty    109.123.89.67    Mon Oct 28 10:04 - 10:04  (00:00)
root     ssh:notty    109.123.89.67    Mon Oct 28 06:44 - 06:44  (00:00)
mageshm  ssh:notty    103.249.80.122   Wed Oct 23 10:52 - 10:52  (00:00)
2daygeek ssh:notty    208.74.121.102   Wed Oct 23 08:15 - 08:15  (00:00)
mageshm  ssh:notty    219.91.219.14    Mon Oct 21 14:19 - 14:19  (00:00)

Use the below command if you have more than 30+ users logged in, so that you can see one page of logged in users at a time.

# last | less
# last | more

Add a Comment

Your email address will not be published. Required fields are marked *