How to Use the Command 'lastb' (with examples)
- Linux
- December 17, 2024
The lastb command is a versatile tool used on Unix-like operating systems to display information about the last failed login attempts. The information is retrieved from the /var/log/btmp file, which stores a record of all failed login attempts. This tool is employed by system administrators to audit and review login failures, analyze security breaches, and monitor unauthorized access attempts. By examining the record of failed logins, administrators can ensure system security and take corrective measures if necessary.
Use case 1: List last logged in users
Code:
sudo lastb
Motivation:
Understanding patterns of failed login attempts is crucial for system security, as it helps in identifying unauthorized access attempts or potential malicious activities. By listing the last logged users, administrators can get an overview of recent failed login attempts and take action to secure their systems if any suspicious activities are noted.
Explanation:
sudo: This command needs superuser privileges since it accesses the system logs stored in/var/log/btmp.lastb: The command used to show a list of all users who failed to login, sourced from the btmp file.
Example Output:
btmp begins Tue Oct 3 15:03:23 2023
username tty1 192.168.1.10 Tue Oct 3 15:03 still logged in
unknown tty3 192.168.1.12 Mon Oct 2 16:42 - 16:43 (00:01)
guest tty2 10.0.0.15 Mon Oct 2 15:21 - 15:22 (00:01)
Use case 2: List all last logged in users since a given time
Code:
sudo lastb --since YYYY-MM-DD
Motivation:
By specifying a particular time range for when to start listing failed login attempts, the administrator can focus on a specific period of interest. For instance, if a system experienced a breach or unusual login attempt within a certain timeframe, the admin can zero in on that timeframe to analyze events and assess any potential threats more thoroughly.
Explanation:
sudo: Needed to access the log files with administrative privileges.lastb: Fetches the list of failed login attempts.--since YYYY-MM-DD: This argument filters the login attempts, only showing entries from the specified date onwards.
Example Output:
btmp begins Sat Oct 1 00:00:01 2023
guest tty4 192.168.1.15 Sat Oct 1 04:12 - 04:14 (00:02)
admin tty2 192.168.1.13 Sat Oct 1 03:05 - 03:06 (00:01)
Use case 3: List all last logged in users until a given time
Code:
sudo lastb --until YYYY-MM-DD
Motivation:
By using the --until flag, administrators can retrospectively examine failed login attempts until a specified date. This is particularly useful when assessing cumulative login failures over a period prior to some known event or during scheduled maintenance when login attempts should have been minimal or non-existent.
Explanation:
sudo: Required for elevated access to read system logs written in/var/log/btmp.lastb: Runs the command to list failed logins.--until YYYY-MM-DD: Limits the log view to attempts that occurred on or before a certain date.
Example Output:
btmp ends Fri Sep 30 23:59:59 2023
user2 tty1 10.0.0.1 Fri Sep 30 21:10 - 21:12 (00:02)
guest tty5 192.168.1.7 Thu Sep 29 14:00 - 14:01 (00:01)
Use case 4: List all logged in users at a specific time
Code:
sudo lastb --present hh:mm
Motivation:
Sometimes it’s crucial to determine who had failed login attempts at an exact point in time. This could help correlate suspicious activities such as unauthorized access attempts to certain events or anomalies, providing insights into security breaches or exploration of user activity during incidents.
Explanation:
sudo: Used to execute the command with root privileges.lastb: Retrieves and displays failed login attempts.--present hh:mm: Focuses the output on failed logins occurring at a specific hour and minute, based on a 24-hour format.
Example Output:
Occurrences at 11:45
user3 tty3 10.0.0.14 Wed Sep 28 11:45 - 11:46 (00:01)
Use case 5: List all last logged in users and translate the IP into a hostname
Code:
sudo lastb --dns
Motivation:
Translating IP addresses into hostnames can provide more context, making it easier to identify the machines involved in the login attempts. This can be particularly helpful in networks where systems have identifiable hostnames that signify their role or location, assisting admins in making informed decisions regarding access control.
Explanation:
sudo: Necessary for gaining access to system-authenticated files and outputs.lastb: Invokes the command to review failed login attempts.--dns: Instructs the command to convert IP addresses into hostnames for readability.
Example Output:
btmp begins Tue Oct 3 15:03:23 2023
admin tty1 server.local Tue Oct 3 15:03 still logged in
unknown tty3 desktop.domain Mon Oct 2 16:42 - 16:43 (00:01)
guest tty2 access-point Mon Oct 2 15:21 - 15:22 (00:01)
Conclusion:
The lastb command serves as an efficient auditing tool to monitor and keep track of failed login attempts, helping system administrators identify and address security lapses or unauthorized access attempts. With various options to filter and present data, administrators can tailor their security audits to focus on specific needs, thereby enhancing overall security posture.
