LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-29-2014, 06:39 AM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 568

Rep: Reputation: Disabled
List of users that logged on and understanding last


I would like view a list of who logged on to my server. I believe this information is stored in /var/log/wtmp, and accessible using the last command. I would like to better understand the information this log is reporting. Questions:
  1. Is last the correct way to view this information?
  2. How do I tell the IP of the remote user?
  3. What does pts/0 (or pts/1, 2) mean?
  4. tty1 is just terminal 1? Are there other terminals?
  5. Does "down" mean the user logged out?
  6. What does the "+1" mean in some of the time column records?

Thanks
Code:
[root@michaels UsmyNaerme]# last
UsmyNaer pts/0        192.168.0.103    Fri Mar 28 20:23   still logged in
UsmyNaer pts/2        192.168.0.103    Fri Mar 28 08:45 - 11:56  (03:11)
UsmyNaer pts/1        192.168.0.103    Fri Mar 28 06:06 - 10:55  (04:48)
UsmyNaer pts/0        192.168.0.103    Fri Mar 28 00:40 - 10:39  (09:59)
root     tty1                          Fri Mar 28 00:36   still logged in
reboot   system boot  2.6.32-431.5.1.e Fri Mar 28 00:35 - 20:27  (19:52)
root     tty1                          Fri Mar 28 00:28 - down   (00:05)
UsmyNaer pts/0        192.168.0.103    Thu Mar 27 20:41 - down   (03:52)
root     tty1                          Thu Mar 27 00:04 - 00:28 (1+00:24)
UsmyNaer pts/1        192.168.0.103    Wed Mar 26 23:38 - 00:07  (00:29)
UsmyNaer pts/0        192.168.0.103    Wed Mar 26 21:52 - 05:03  (07:11)
reboot   system boot  2.6.32-431.5.1.e Wed Mar 26 21:51 - 00:34 (1+02:43)
UsmyNaer pts/1        192.168.0.103    Wed Mar 26 21:10 - down   (00:40)
UsmyNaer pts/0        192.168.0.103    Wed Mar 26 19:49 - down   (02:01)
UsmyNaer pts/0        192.168.0.103    Tue Mar 25 19:24 - 01:12  (05:47)
UsmyNaer pts/0        192.168.0.103    Tue Mar 25 09:32 - 12:43  (03:10)
root     tty1                          Tue Mar 25 01:53 - down  (1+19:57)
UsmyNaer pts/0        192.168.0.103    Tue Mar 25 00:39 - 03:45  (03:06)
reboot   system boot  2.6.32-431.5.1.e Tue Mar 25 00:38 - 21:50 (1+21:12)
UsmyNaer pts/0        192.168.0.103    Mon Mar 24 20:36 - down   (04:01)
UsmyNaer pts/1        192.168.0.103    Mon Mar 24 11:08 - 14:19  (03:11)
UsmyNaer pts/0        192.168.0.103    Mon Mar 24 11:00 - 11:24  (00:24)
root     tty1                          Mon Mar 24 10:56 - down   (13:40)
root     tty1                          Mon Mar 24 10:53 - 10:56  (00:03)
root     pts/0        192.168.0.103    Mon Mar 24 10:49 - 10:56  (00:07)
root     pts/0        192.168.0.109    Mon Mar 24 01:45 - 01:47  (00:02)
root     pts/2        192.168.0.103    Mon Mar 24 01:34 - 02:45  (01:10)
root     pts/1        192.168.0.104    Sun Mar 23 23:23 - 03:45  (04:21)
root     pts/0        192.168.0.103    Sun Mar 23 23:10 - 01:37  (02:26)
reboot   system boot  2.6.32-431.5.1.e Sun Mar 23 22:53 - 00:37 (1+01:44)
root     pts/0        192.168.0.103    Sun Mar 23 20:51 - down   (02:01)
root     pts/0        192.168.0.103    Sun Mar 23 05:54 - 10:25  (04:30)
root     pts/0        192.168.0.103    Sun Mar 23 00:17 - 05:28  (05:11)
root     tty1                          Sat Mar 22 02:08 - down  (1+20:44)
reboot   system boot  2.6.32-431.el6.x Sat Mar 22 00:41 - 22:52 (1+22:11)

wtmp begins Sat Mar 22 00:41:20 2014
[root@michaels UsmyNaerme]#
 
Old 03-29-2014, 08:05 AM   #2
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 4,503

Rep: Reputation: 1383Reputation: 1383Reputation: 1383Reputation: 1383Reputation: 1383Reputation: 1383Reputation: 1383Reputation: 1383Reputation: 1383Reputation: 1383
Quote:
I would like view a list of who logged on to my server.
You can also use the 'w' command.

You can look at network connections using the 'netstat' command.

pts refers to pseudo terminals (i.e. not hardware). In your listing they are probably shells opened in a GUI.

tty1 is the first terminal. You probably also have tty2 to tty6. If you use Alt-F[2-6] in tty1, you will probably get tty[2-6].

down means that system has gone down, probably for reboot.

The +1 means to add a day i.e. 24hours.

Quote:
root tty1 Thu Mar 27 00:04 - 00:28 (1+00:24)
So you had a root shell open on the primary terminal for over 24 hours. Not a good practice from a security point of view.
 
Old 03-29-2014, 08:34 AM   #3
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 568

Original Poster
Rep: Reputation: Disabled
Thanks allend,

Good point about having root open for over 24 hours. This is just a test server for learning purposes, and I will flatten in a couple of days and start over. That being said, no use getting in bad habits.

Both 'last' and 'w' both don't show the remote user's IP. How is this done? Or would I see something different than 192.168.0.103 if I was remote?

In regards to 'netstat', should it be replaced by 'ss'? Also, what do the foreign IP connections mean which I show below in bold?

THanks


[root@michaels myUserName]# ss
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 127.0.0.1:48938 127.0.0.1:6379
....
ESTAB 0 0 192.168.0.215:ssh 114.111.161.23:40312
....
ESTAB 0 52 192.168.0.215:ssh 192.168.0.103:62488
....
ESTAB 0 0 127.0.0.1:6379 127.0.0.1:49188

[root@michaels myUserName]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 newlaptop.michaels.lan:ssh 218.51.174.61.dial.w:nimreg TIME_WAIT
....
tcp 0 840 newlaptop.michaels.lan:ssh 218.51.174.61.dial.w:sabams ESTABLISHED
tcp 0 0 newlaptop.michaels.lan:ssh 192.168.0.103:62488 ESTABLISHED
....
tcp 0 0 newlaptop.michaels.lan:ssh 114.111.161.23:50824 ESTABLISHED
....
tcp 0 0 localhost:6379 localhost:49188 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 9390 @/org/kernel/udev/udevd
....
[root@michaels myUserName]#
 
Old 03-29-2014, 08:52 AM   #4
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 4,503

Rep: Reputation: 1383Reputation: 1383Reputation: 1383Reputation: 1383Reputation: 1383Reputation: 1383Reputation: 1383Reputation: 1383Reputation: 1383Reputation: 1383
You are getting similar information from 'ss' as you can get from 'netstat'.
Quote:
ESTAB 0 0 192.168.0.215:ssh 114.111.161.23:40312
....
ESTAB 0 52 192.168.0.215:ssh 192.168.0.103:62488
That output is showing a connection from port 40312 on a remote host with IP address 114.111.161.23 to the ssh port (port 22) on the local host with IP address 192.168.0.215.
There is also a connection from port 62488 on a remote host with IP address 192.168.0.103 to the ssh port (port 22) on the local host with IP address 192.168.0.215
 
Old 03-29-2014, 08:53 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,335
Blog Entries: 55

Rep: Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535
Quote:
Originally Posted by NotionCommotion View Post
(..) no use getting in bad habits.
Commendable.


Quote:
Originally Posted by NotionCommotion View Post
Both 'last' and 'w' both don't show the remote user's IP. How is this done?
With 'last' _ use the "-wai" switches.


Quote:
Originally Posted by NotionCommotion View Post
In regards to 'netstat', should it be replaced by 'ss'?
Whatever your system offers I'd say. Since you're into good habits ensure to always avoid resolving names, networks, addresses, ports, services and such. Not only does it give you a much clearer view of output it's also way faster.


Quote:
Originally Posted by NotionCommotion View Post
Also, what do the foreign IP connections mean which I show below in bold?
To add to what allend said: TCP allows a connection between end points so for example for a SSH connection you'd see an ephemeral port on your side and port TCP/22 on the server side. With netstat under Linux I always use the "-antupe" switches BTW (check the outputs Process Id's / application names).
 
Old 03-29-2014, 09:53 AM   #6
mddnix
Member
 
Registered: Mar 2013
Distribution: Redhat, Ubuntu
Posts: 521

Rep: Reputation: 141Reputation: 141
Quote:
Originally Posted by NotionCommotion View Post
  1. Is last the correct way to view this information?
  2. How do I tell the IP of the remote user?
  3. What does pts/0 (or pts/1, 2) mean?
  4. tty1 is just terminal 1? Are there other terminals?
  1. Yes. But there is also another way:
    Code:
    # utmpdump /var/log/wtmp
  2. From the previous command's 6th column. Some other ways to check active connections:
    Code:
    # echo $SSH_CONNECTION
    # w
    # pinky
    # netstat -n | grep ':22'
    # lsof -i :ssh
  3. As allend already mentioned, it stands for Stands for pseudo terminal slave. The difference between TTY and PTS is the type of connection to the computer. TTY ports are direct connections to the computer such as a keyboard/mouse or a serial connection to the device. PTS connections are SSH connections or telnet connections. All of these connections can connect to a shell which will allow you to issue commands to the computer. Source:TTY vs PTS

  4. By default there are 12 ttys as mentioned in file /etc/securetty, but only 6 (1-6) are made available, which can be changed by editing /etc/init/start-ttys.conf. In RHEL tty1 (ctrl+alt+F1) is allotted to X.

Also, to find failed login attempt check /var/log/secure file, or
Code:
# utmpdump btmp

Last edited by mddnix; 03-29-2014 at 10:11 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] example on the cut slide to display a list of users logged in. abhinav4 Linux - Newbie 3 01-15-2012 11:05 PM
checking list of logged in users, without logging in to that linux pc. krishnalite Programming 7 07-18-2010 09:22 PM
List users logged in to remote system jantman Linux - Software 3 12-11-2006 12:01 AM
How do I list all users (even those not logged in) steved Linux - Newbie 2 09-29-2005 04:45 PM
how can i see list of logged on users? doublefailure Linux - General 6 09-10-2002 08:11 PM


All times are GMT -5. The time now is 10:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration