LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 04-17-2006, 06:44 PM   #1
eder_michael11
Member
 
Registered: Jan 2006
Posts: 51

Rep: Reputation: 15
what file has the information of LAST LOGGIN???


sorry if i got into a computer by SSH and i dont want that the next who loggin watches my loggin

does some file has the information of loggins????

like
.bash_history has the commands entered in console
is there some file with that information???

that i can erase??
 
Old 04-17-2006, 06:47 PM   #2
GUIPenguin
Member
 
Registered: Aug 2004
Location: Maine
Distribution: Gentoo Linux
Posts: 239

Rep: Reputation: 30
That is a good question. I was thinking the same last night and am quarious to see how to disable it. Its not an SSHd setting because it will display the same when logging on locally. If anyone knows where it keeps this or how it is generated I too would like to know. (Im thinking it might have to do with PAM)
 
Old 04-17-2006, 06:52 PM   #3
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
Are you talking about the /var/log/wtmp file that the last command (and /var/log/btmp for lastb) uses? On my system (Slackware) the files are only populated if they exist.

If you're the root user you'll have permission to remove the files. If you're not, you need to talk to the system's administrator.
 
Old 04-17-2006, 06:58 PM   #4
GUIPenguin
Member
 
Registered: Aug 2004
Location: Maine
Distribution: Gentoo Linux
Posts: 239

Rep: Reputation: 30
actualy... you can just do this easly

echo " " > /var/log/lastlog and logout.... and then it wont say anything when you login again:


if you dont want people to see your last login... with 'last'


echo " " > /var/log/wtmp


This of course is for knowlage of how linux stores its info and not covering up tracks? Lol.

Last edited by GUIPenguin; 04-17-2006 at 07:09 PM.
 
Old 04-17-2006, 07:09 PM   #5
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,331

Rep: Reputation: 357Reputation: 357Reputation: 357Reputation: 357
If you're hoping to hide your access from a system administrator, good luck. Unless the sysadm is not terribly good at what they do. Yes, there are lastlogin files and wtmp as has been mentioned, but that's not all. The places where a sysadmin would look for questionable ssh accesses are not even viewable by a standard user, much less modifiable. There are bad guys out there who could root a system and hide their tracks, but from the sounds of your questions, I don't think you're one of these. No offense intended - I'm certainly not one who could (or would) do this either!
 
Old 04-17-2006, 07:17 PM   #6
GUIPenguin
Member
 
Registered: Aug 2004
Location: Maine
Distribution: Gentoo Linux
Posts: 239

Rep: Reputation: 30
Quote:
Originally Posted by haertig
If you're hoping to hide your access from a system administrator, good luck. Unless the sysadm is not terribly good at what they do. Yes, there are lastlogin files and wtmp as has been mentioned, but that's not all. The places where a sysadmin would look for questionable ssh accesses are not even viewable by a standard user, much less modifiable. There are bad guys out there who could root a system and hide their tracks, but from the sounds of your questions, I don't think you're one of these. No offense intended - I'm certainly not one who could (or would) do this either!

Well, now I have to ask this question: lets say a cracker gained access via ssh and "only" deleted lastlog and wtmp. As a system administrator where else could I look? I'm guessing last place would be firewall logs; having it log the ip address that connects to that port on a remote database or something not directly on the system. Are there any more system configs that could be checked for ssh login?

Last edited by GUIPenguin; 04-17-2006 at 07:20 PM.
 
Old 04-17-2006, 07:46 PM   #7
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,331

Rep: Reputation: 357Reputation: 357Reputation: 357Reputation: 357
Quote:
Originally Posted by GUIPenguin
Well, now I have to ask this question: lets say a cracker gained access via ssh and "only" deleted lastlog and wtmp. As a system administrator where else could I look?
It depends on how you setup ssh and syslogging of auth messages. On my system, these go to /var/log/auth.log (only readable by root). For example, here is a log of me coming in remotely as userid "david" using pubkey authentication and running "sudo fdisk -l" (remote IP address manually blanked to "aaa.bbb.ccc.ddd" by me for display here):
Code:
Apr 17 16:30:05 familyroom sshd[19652]: Accepted publickey for david from aaa.bbb.ccc.ddd port 33742 ssh2
Apr 17 16:30:05 familyroom sshd[19656]: (pam_unix) session opened for user david by (uid=0)
Apr 17 16:30:05 familyroom sudo:    david : TTY=unknown ; PWD=/home/david ; USER=root ; COMMAND=/sbin/fdisk -l
Apr 17 16:30:05 familyroom sshd[19656]: (pam_unix) session closed for user david
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
get file information HELP allomeen Programming 0 02-23-2006 12:59 PM
File information Kdr Kane Programming 3 12-10-2005 02:47 AM
Loggin IP traffic to a log file brokenflea Linux - Security 1 03-30-2005 05:53 PM
File permission information gardenair Linux - Newbie 1 03-08-2005 05:11 AM
HELP how to get file information wilson-china Programming 1 03-11-2004 10:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 04:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration