LinuxQuestions.org - what file has the information of LAST LOGGIN???

- Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)

- - what file has the information of LAST LOGGIN??? (https://www.linuxquestions.org/questions/linux-general-1/what-file-has-the-information-of-last-loggin-436179/)

eder_michael11

04-17-2006 06:44 PM

what file has the information of LAST LOGGIN???

sorry if i got into a computer by SSH and i dont want that the next who loggin watches my loggin

does some file has the information of loggins????

like
.bash_history has the commands entered in console
is there some file with that information???

that i can erase??

GUIPenguin

04-17-2006 06:47 PM

That is a good question. I was thinking the same last night and am quarious to see how to disable it. Its not an SSHd setting because it will display the same when logging on locally. If anyone knows where it keeps this or how it is generated I too would like to know. (Im thinking it might have to do with PAM)

gilead

04-17-2006 06:52 PM

Are you talking about the /var/log/wtmp file that the last command (and /var/log/btmp for lastb) uses? On my system (Slackware) the files are only populated if they exist.

If you're the root user you'll have permission to remove the files. If you're not, you need to talk to the system's administrator.

GUIPenguin

04-17-2006 06:58 PM

actualy... you can just do this easly

echo " " > /var/log/lastlog and logout.... and then it wont say anything when you login again:

if you dont want people to see your last login... with 'last'

echo " " > /var/log/wtmp

This of course is for knowlage of how linux stores its info and not covering up tracks? Lol.

haertig

04-17-2006 07:09 PM

If you're hoping to hide your access from a system administrator, good luck. Unless the sysadm is not terribly good at what they do. Yes, there are lastlogin files and wtmp as has been mentioned, but that's not all. The places where a sysadmin would look for questionable ssh accesses are not even viewable by a standard user, much less modifiable. There are bad guys out there who could root a system and hide their tracks, but from the sounds of your questions, I don't think you're one of these. No offense intended - I'm certainly not one who could (or would) do this either!

GUIPenguin

04-17-2006 07:17 PM

Quote:

Originally Posted by haertig

Well, now I have to ask this question: lets say a cracker gained access via ssh and "only" deleted lastlog and wtmp. As a system administrator where else could I look? I'm guessing last place would be firewall logs; having it log the ip address that connects to that port on a remote database or something not directly on the system. Are there any more system configs that could be checked for ssh login?

haertig

04-17-2006 07:46 PM

Quote:

Originally Posted by GUIPenguin

Well, now I have to ask this question: lets say a cracker gained access via ssh and "only" deleted lastlog and wtmp. As a system administrator where else could I look?

It depends on how you setup ssh and syslogging of auth messages. On my system, these go to /var/log/auth.log (only readable by root). For example, here is a log of me coming in remotely as userid "david" using pubkey authentication and running "sudo fdisk -l" (remote IP address manually blanked to "aaa.bbb.ccc.ddd" by me for display here):

Code:

Apr 17 16:30:05 familyroom sshd[19652]: Accepted publickey for david from aaa.bbb.ccc.ddd port 33742 ssh2

Apr 17 16:30:05 familyroom sshd[19656]: (pam_unix) session opened for user david by (uid=0)

Apr 17 16:30:05 familyroom sudo:    david : TTY=unknown ; PWD=/home/david ; USER=root ; COMMAND=/sbin/fdisk -l

Apr 17 16:30:05 familyroom sshd[19656]: (pam_unix) session closed for user david

All times are GMT -5. The time now is 11:12 AM.