what file has the information of LAST LOGGIN???
sorry if i got into a computer by SSH and i dont want that the next who loggin watches my loggin
does some file has the information of loggins???? like .bash_history has the commands entered in console is there some file with that information??? that i can erase?? |
That is a good question. I was thinking the same last night and am quarious to see how to disable it. Its not an SSHd setting because it will display the same when logging on locally. If anyone knows where it keeps this or how it is generated I too would like to know. (Im thinking it might have to do with PAM)
|
Are you talking about the /var/log/wtmp file that the last command (and /var/log/btmp for lastb) uses? On my system (Slackware) the files are only populated if they exist.
If you're the root user you'll have permission to remove the files. If you're not, you need to talk to the system's administrator. |
actualy... you can just do this easly
echo " " > /var/log/lastlog and logout.... and then it wont say anything when you login again: if you dont want people to see your last login... with 'last' echo " " > /var/log/wtmp This of course is for knowlage of how linux stores its info and not covering up tracks? Lol. |
If you're hoping to hide your access from a system administrator, good luck. Unless the sysadm is not terribly good at what they do. Yes, there are lastlogin files and wtmp as has been mentioned, but that's not all. The places where a sysadmin would look for questionable ssh accesses are not even viewable by a standard user, much less modifiable. There are bad guys out there who could root a system and hide their tracks, but from the sounds of your questions, I don't think you're one of these. No offense intended - I'm certainly not one who could (or would) do this either!
|
Quote:
Well, now I have to ask this question: lets say a cracker gained access via ssh and "only" deleted lastlog and wtmp. As a system administrator where else could I look? I'm guessing last place would be firewall logs; having it log the ip address that connects to that port on a remote database or something not directly on the system. Are there any more system configs that could be checked for ssh login? |
Quote:
Code:
Apr 17 16:30:05 familyroom sshd[19652]: Accepted publickey for david from aaa.bbb.ccc.ddd port 33742 ssh2 |
All times are GMT -5. The time now is 11:12 AM. |