blob: 30b8a6898715264689a1058fe05087fcc823e7b6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
# How to check last login time for user #
There are a number of ways to check last logged in users with time details.
1. `last` This command searches back through the file `/var/log/wtmp (or the file designated by the -f flag)`
and displays a list of all users logged in/out since the file was created.
*Example*__To view last login of all users:__
`$ last`
`bob pts/7 server1.example Mon May 5 14:36 still logged in`
`bob pts/5 server1.example Mon May 5 14:34 still logged in`
`root pts/5 main.test Sun Apr 27 04:18 - 04:20 (00:02)`
`john pts/11 server1.example Sat Apr 26 06:25 - 17:16 (10:51)`
`john pts/10 server1.example Sat Apr 26 06:20 - 17:16 (10:56)`
2.
*Example*__To view last login of specific user:__
`$ last bob`
`bob pts/7 server1.example Mon May 5 14:36 still logged in`
`bob pts/5 server1.example Mon May 5 14:34 still logged in`
3.
*Example*__To view ip address details of the source machine:__
`$ last bob -i`
`bob pts/7 192.168.0.100 Mon May 5 14:36 still logged in`
`bob pts/5 192.168.0.100 Mon May 5 14:34 still logged in`
3. `lastlog` This formats and prints the contents of the last login log `/var/log/lastlog` file.
*Example*__To view last login time of user bob:__
`$ lastlog -u bob`
`Username Port From Latest`
`dave pts/7 server1.example Mon May 5 14:36:52 -0400 2014`
# Track successful/failed login attempts #
1. Login attempts are stored in `/var/log/secure` and this file can be checked.
`# less /var/log/secure | grep bob`
`May 18 14:56:17 lab1 unix_chkpwd[17490]: password check failed for user (bob)`
`May 18 14:56:17 lab1 sshd[17489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=server1.example.com user=bob`
`May 18 14:56:18 lab1 sshd[17481]: Accepted keyboard-interactive/pam for bob from 192.168.0.25 port 60735 ssh2`
`May 18 14:56:18 lab1 sshd[17481]: pam_unix(sshd:session): session opened for user bob by (uid=0)`
`May 18 16:50:04 lab1 unix_chkpwd[19626]: password check failed for user (bob)`
`May 18 16:50:04 lab1 sudo: pam_unix(sudo:auth): authentication failure; logname=bob uid=0 euid=0 tty=/dev/pts/12 ruser= rhost= user=bob`
`May 18 16:50:04 lab1 sudo: bob : TTY=pts/12 ; PWD=/home/bob ; USER=root ; COMMAND=/bin/su -`
`May 18 16:50:04 lab1 su: pam_unix(su-l:session): session opened for user root by bob(uid=0)`
2. Collect authentication reports for all recent attempts made on the system.
*Example*__Reports for all attempts:__
`# aureport -au -i`
`Authentication Report`
`============================================`
`# date time acct host term exe success event`
`============================================`
`1. 05/16/14 10:12:54 bob ? /dev/pts/116 /usr/bin/sudo yes 6946469`
`2. 05/16/14 12:09:19 jeff ? /dev/pts/117 /usr/bin/sudo yes 6947443`
`3. 05/16/14 12:16:11 jeff ? /dev/pts/102 /usr/bin/sudo yes 6947512`
`4. 05/16/14 13:00:10 bob ? /dev/pts/116 /usr/bin/sudo yes 6947866`
*Example*__Reports for successful attempts:__
`# aureport -au -i --success`
`Authentication Report`
`============================================`
`# date time acct host term exe success event`
`============================================`
`1. 05/16/14 10:12:54 bob ? /dev/pts/116 /usr/bin/sudo yes 6946469`
`2. 05/16/14 12:09:19 jeff ? /dev/pts/117 /usr/bin/sudo yes 6947443`
`3. 05/16/14 12:16:11 jeff ? /dev/pts/102 /usr/bin/sudo yes 6947512`
`4. 05/16/14 13:00:10 bob ? /dev/pts/116 /usr/bin/sudo yes 6947866`
*Example*__Reports for failed attempts:__
`# aureport -au -i --failed`
`Authentication Report`
`============================================`
`# date time acct host term exe success event`
`============================================`
`1. 05/16/14 15:42:11 dave ? /dev/pts/124 /usr/bin/sudo no 6949322`
`2. 05/17/14 12:02:53 andy 10.10.10.26 ssh /usr/sbin/sshd no 6959885`
`3. 05/18/14 01:21:06 abhay ? /dev/pts/12 /usr/bin/sudo no 6967954`
*Example*__Login Failures:__
`# aureport -l --failed`
`Login Report`
`============================================`
`# date time auid host term exe success event`
`============================================`
`1. 05/16/14 21:50:22 pete 10.191.29.164 sshd /usr/sbin/sshd no 6952386`
`2. 05/17/14 12:02:09 andy 10.10.10.26 sshd /usr/sbin/sshd no 6959875`
`3. 05/17/14 12:02:48 andy 10.10.10.26 sshd /usr/sbin/sshd no 6959884`
*Example*__Successful Logins:__
`# aureport -l --success`
`Login Report`
`============================================`
`# date time auid host term exe success event`
`============================================`
`1. 05/16/14 21:50:22 42771 10.191.29.164 sshd /usr/sbin/sshd yes 6952386`
`2. 05/17/14 12:02:09 34566 10.10.10.26 sshd /usr/sbin/sshd yes 6959875`
`3. 05/17/14 12:02:48 34566 10.10.10.26 sshd /usr/sbin/sshd yes 6959884`
*Example*__Login Summary Report:__
`# aureport -l --success --summary -i`
`Success Login Summary Report`
`============================================`
`total auid`
`============================================`
`4 alison`
`4 alex`
`3 andy`
`2 suzanne`
`1 paul`
`1 dave`
`1 pete`
`1 rashmi`
##Refs:##
1. https://www.golinuxhub.com/2014/05/how-to-check-last-login-time-for-users.html
2. https://www.golinuxhub.com/2014/05/how-to-track-all-successful-and-failed.html
|
