Who was on the server?
There comes a time when the system administrator needs to determine the date of the last login to each of the users, as well as prepare a list of those accounts that have not done so. If you had not previously known the lastlog command, you would be surprised how quickly and easily it can provide you with this data.
If you still think about it, do not forget that this command is also one of the good methods of security checking that can be performed on servers running Linux systems. It will help you identify potential problems. Those accounts that have been inactive for a long time, for example, can mean that they are no longer needed and can be disabled. But the accounts that were active at the time when their users were supposed to be on vacation somewhere in the Bahamas - may hint at problems with security on the server.
The lastlog command stores information about the user's last login to the system, but it will provide information only on those logs that are in the wtmp file. Entries in this file are made in binary format, so that they can only be viewed using special commands. I think many of you paid attention to the fact that when you log in to the console, the following message appears on the screen:
')
This line is generated by the login utility, which, after authorizing the user, accesses the file / var / log / lastlog, retrieves information about the previous successful login, displays it on the screen, and then updates the record in the lastlog file. In contrast to the file / var / log / lastlog, which contains records of the time of the last login to each user, the file / var / log / wtmp remembers all inputs and outputs of users to the system since the creation of this file.
To view the data for a specific user, you must use the following command last xxx , where xxx is the user login. And using the sort command head with parameter 5 in turn will help you to display only the last 5 results on the screen:
How deep you can view the history of the latest commands depends on how long the wtmp file is for . For example, you can use the logrotate utility, which monitors the log files and provides the so-called rotation of these files in case they exceed the specified size (or after a specified time interval). It also allows you to support more than one wtmp file and has an entry in logrotate.conf like this:
Even with several wtmp files, the data of some of your users may simply not be displayed. If, as a result of an individual user verification, you have not received any data on it, then this means that there are no records for a specific user in the wtmp file. To find out the date for creating the wtmp file, enter last mia in the console:
The best way to find the last login information for each user is to use the lastlog command . If any of the users has never logged in to the system, then instead of the terminal name and the last login time, the line will be displayed ** Never logged in **. If the output will consist of a large number of lines, you can also use the more command, which, unlike the less command, will display the contents of the file on the screen in separate pages. The result will look something like this:
Many of us may be surprised to see that bin, daemon, adm, and other service accounts have never logged in to the system. This is indeed the case, and means only that the / sbin / nologin parameter is set for the shells assigned at the time of user registration (login shells), which makes authorization impossible. The remaining data on the inputs show the date and time of the system from which the authorization was carried out.
To create a list of all accounts that have never logged in, you should use the following set of commands. We are already familiar with the lastlog command and I will not dwell on it in detail, then it is worth adding the grep utility to search for a keyword, in our case the word Never , and in order to display only the first data column, you can use the awk utility with the following syntax is '{print $ 1}' :
The entries in lastlog are listed according to user identifiers (User identifier - UID) - from root (root) to the user with the highest UID value in your / etc / passwd file. This is due to the format of the lastlog file itself . Unlike most Unix log files, a separate place is reserved in the lastlog file for recording the logs of each user, and in turn the place of each record is indexed by UID. After that, the files will be of a fixed size, especially if your system has accounts with the highest limit of its possible UID range - such as a 16-bit UID 65536. Also, this creates a large amount of unused space, though only if your identifiers are not strictly sequential . If your system supports 32-bit UIDs, the file can be very large and have 4,294,967,296 (232) different identifier values.
Each entry in the lastlog file contains the user name, the terminal name from which the user logged in, and the last login time. The entry for the superuser (UID 0) at the top of the file may look like this:
When executing the lastlog command on some computers, in certain cases it may appear that the command is “frozen”. This is due to the fact that even if there are only two users registered in the system (root and user), in the / var / log / lastlog file there is still room for the maximum possible number of users who can work in the system. Therefore, in the file / var / log / lastlog there may be large gaps between the identifiers of users who have been working in the system. Since when viewing such intervals, the program does not display information on the screen, and the impression of a “freeze” appears. Therefore, do not rush to press buttons and close the console, but wait for the response of the command.
As we have established with you, the lastlog command can be very useful for checking the logs of those users whose support you still support, to make sure that the accounts in the system are used properly and they are still relevant. Also, do not forget to check the size of the logs, but it may turn out that their volume already significantly exceeds the total size of your system.
Do not neglect to use fairly simple commands in your work, and, naturally, use the space wisely. Good luck!
If you still think about it, do not forget that this command is also one of the good methods of security checking that can be performed on servers running Linux systems. It will help you identify potential problems. Those accounts that have been inactive for a long time, for example, can mean that they are no longer needed and can be disabled. But the accounts that were active at the time when their users were supposed to be on vacation somewhere in the Bahamas - may hint at problems with security on the server.
The lastlog command stores information about the user's last login to the system, but it will provide information only on those logs that are in the wtmp file. Entries in this file are made in binary format, so that they can only be viewed using special commands. I think many of you paid attention to the fact that when you log in to the console, the following message appears on the screen:
')
Last login: Wed Nov 11 13:19:44 on ttys002 This line is generated by the login utility, which, after authorizing the user, accesses the file / var / log / lastlog, retrieves information about the previous successful login, displays it on the screen, and then updates the record in the lastlog file. In contrast to the file / var / log / lastlog, which contains records of the time of the last login to each user, the file / var / log / wtmp remembers all inputs and outputs of users to the system since the creation of this file.
To view the data for a specific user, you must use the following command last xxx , where xxx is the user login. And using the sort command head with parameter 5 in turn will help you to display only the last 5 results on the screen:
# last | head -5 root pts/0 193.178.187.30 Wed Nov 11 14:21 still logged in tuto ftpd3292 ::ffff:176.104.0 Wed Nov 11 11:11 - 11:15 (00:04) tuto ftpd29523 ::ffff:176.104.0 Tue Nov 10 18:58 - 19:03 (00:04) naturcok ftpd23502 ::ffff:176.104.0 Tue Nov 10 13:55 - 13:55 (00:00) naturcok ftpd20128 ::ffff:176.104.0 Tue Nov 10 13:50 - 13:55 (00:05) How deep you can view the history of the latest commands depends on how long the wtmp file is for . For example, you can use the logrotate utility, which monitors the log files and provides the so-called rotation of these files in case they exceed the specified size (or after a specified time interval). It also allows you to support more than one wtmp file and has an entry in logrotate.conf like this:
/var/log/wtmp { monthly create 0664 root utmp minsize 1M rotate 1 } Even with several wtmp files, the data of some of your users may simply not be displayed. If, as a result of an individual user verification, you have not received any data on it, then this means that there are no records for a specific user in the wtmp file. To find out the date for creating the wtmp file, enter last mia in the console:
# last mia wtmp begins Thu Sep 17 16:10:00 2015 The best way to find the last login information for each user is to use the lastlog command . If any of the users has never logged in to the system, then instead of the terminal name and the last login time, the line will be displayed ** Never logged in **. If the output will consist of a large number of lines, you can also use the more command, which, unlike the less command, will display the contents of the file on the screen in separate pages. The result will look something like this:
# lastlog | more Username Port From Latest root pts/0 xxx.xxx.xxx.xxx Wed Nov 11 14:21:59 +0200 2015 bin **Never logged in** daemon **Never logged in** adm **Never logged in** ispmaster pts/0 xxx.xxx.xxx.xxx Thu Nov 5 17:00:44 +0200 2015 Many of us may be surprised to see that bin, daemon, adm, and other service accounts have never logged in to the system. This is indeed the case, and means only that the / sbin / nologin parameter is set for the shells assigned at the time of user registration (login shells), which makes authorization impossible. The remaining data on the inputs show the date and time of the system from which the authorization was carried out.
To create a list of all accounts that have never logged in, you should use the following set of commands. We are already familiar with the lastlog command and I will not dwell on it in detail, then it is worth adding the grep utility to search for a keyword, in our case the word Never , and in order to display only the first data column, you can use the awk utility with the following syntax is '{print $ 1}' :
# lastlog | grep Never | awk '{print $1}' bin daemon adm . . . ntp user1819 user1939 The entries in lastlog are listed according to user identifiers (User identifier - UID) - from root (root) to the user with the highest UID value in your / etc / passwd file. This is due to the format of the lastlog file itself . Unlike most Unix log files, a separate place is reserved in the lastlog file for recording the logs of each user, and in turn the place of each record is indexed by UID. After that, the files will be of a fixed size, especially if your system has accounts with the highest limit of its possible UID range - such as a 16-bit UID 65536. Also, this creates a large amount of unused space, though only if your identifiers are not strictly sequential . If your system supports 32-bit UIDs, the file can be very large and have 4,294,967,296 (232) different identifier values.
Each entry in the lastlog file contains the user name, the terminal name from which the user logged in, and the last login time. The entry for the superuser (UID 0) at the top of the file may look like this:
# od -xc /var/log/lastlog | more 0000000 fba3 563d 7470 2f73 0030 0000 0000 0000 243 373 = V pts / 0 \0 \0 \0 \0 \0 \0 \0 0000020 0000 0000 0000 0000 0000 0000 0000 0000 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 0000040 0000 0000 3138 392e 2e35 3831 2e34 3532 \0 \0 \0 \0 8 1 . 9 5 . 1 8 4 . 2 5 0000060 0034 0000 0000 0000 0000 0000 0000 0000 4 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 0000100 0000 0000 0000 0000 0000 0000 0000 0000 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 When executing the lastlog command on some computers, in certain cases it may appear that the command is “frozen”. This is due to the fact that even if there are only two users registered in the system (root and user), in the / var / log / lastlog file there is still room for the maximum possible number of users who can work in the system. Therefore, in the file / var / log / lastlog there may be large gaps between the identifiers of users who have been working in the system. Since when viewing such intervals, the program does not display information on the screen, and the impression of a “freeze” appears. Therefore, do not rush to press buttons and close the console, but wait for the response of the command.
As we have established with you, the lastlog command can be very useful for checking the logs of those users whose support you still support, to make sure that the accounts in the system are used properly and they are still relevant. Also, do not forget to check the size of the logs, but it may turn out that their volume already significantly exceeds the total size of your system.
Do not neglect to use fairly simple commands in your work, and, naturally, use the space wisely. Good luck!
Source: https://habr.com/ru/post/270687/
All Articles