LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   List of users that logged on and understanding last (https://www.linuxquestions.org/questions/linux-newbie-8/list-of-users-that-logged-on-and-understanding-last-4175499874/)

NotionCommotion 03-29-2014 06:39 AM
List of users that logged on and understanding last
 
I would like view a list of who logged on to my server. I believe this information is stored in /var/log/wtmp, and accessible using the last command. I would like to better understand the information this log is reporting. Questions:
  1. Is last the correct way to view this information?
  2. How do I tell the IP of the remote user?
  3. What does pts/0 (or pts/1, 2) mean?
  4. tty1 is just terminal 1? Are there other terminals?
  5. Does "down" mean the user logged out?
  6. What does the "+1" mean in some of the time column records?

Thanks
Code:
[root@michaels UsmyNaerme]# last
UsmyNaer pts/0        192.168.0.103    Fri Mar 28 20:23  still logged in
UsmyNaer pts/2        192.168.0.103    Fri Mar 28 08:45 - 11:56  (03:11)
UsmyNaer pts/1        192.168.0.103    Fri Mar 28 06:06 - 10:55  (04:48)
UsmyNaer pts/0        192.168.0.103    Fri Mar 28 00:40 - 10:39  (09:59)
root    tty1                          Fri Mar 28 00:36  still logged in
reboot  system boot  2.6.32-431.5.1.e Fri Mar 28 00:35 - 20:27  (19:52)
root    tty1                          Fri Mar 28 00:28 - down  (00:05)
UsmyNaer pts/0        192.168.0.103    Thu Mar 27 20:41 - down  (03:52)
root    tty1                          Thu Mar 27 00:04 - 00:28 (1+00:24)
UsmyNaer pts/1        192.168.0.103    Wed Mar 26 23:38 - 00:07  (00:29)
UsmyNaer pts/0        192.168.0.103    Wed Mar 26 21:52 - 05:03  (07:11)
reboot  system boot  2.6.32-431.5.1.e Wed Mar 26 21:51 - 00:34 (1+02:43)
UsmyNaer pts/1        192.168.0.103    Wed Mar 26 21:10 - down  (00:40)
UsmyNaer pts/0        192.168.0.103    Wed Mar 26 19:49 - down  (02:01)
UsmyNaer pts/0        192.168.0.103    Tue Mar 25 19:24 - 01:12  (05:47)
UsmyNaer pts/0        192.168.0.103    Tue Mar 25 09:32 - 12:43  (03:10)
root    tty1                          Tue Mar 25 01:53 - down  (1+19:57)
UsmyNaer pts/0        192.168.0.103    Tue Mar 25 00:39 - 03:45  (03:06)
reboot  system boot  2.6.32-431.5.1.e Tue Mar 25 00:38 - 21:50 (1+21:12)
UsmyNaer pts/0        192.168.0.103    Mon Mar 24 20:36 - down  (04:01)
UsmyNaer pts/1        192.168.0.103    Mon Mar 24 11:08 - 14:19  (03:11)
UsmyNaer pts/0        192.168.0.103    Mon Mar 24 11:00 - 11:24  (00:24)
root    tty1                          Mon Mar 24 10:56 - down  (13:40)
root    tty1                          Mon Mar 24 10:53 - 10:56  (00:03)
root    pts/0        192.168.0.103    Mon Mar 24 10:49 - 10:56  (00:07)
root    pts/0        192.168.0.109    Mon Mar 24 01:45 - 01:47  (00:02)
root    pts/2        192.168.0.103    Mon Mar 24 01:34 - 02:45  (01:10)
root    pts/1        192.168.0.104    Sun Mar 23 23:23 - 03:45  (04:21)
root    pts/0        192.168.0.103    Sun Mar 23 23:10 - 01:37  (02:26)
reboot  system boot  2.6.32-431.5.1.e Sun Mar 23 22:53 - 00:37 (1+01:44)
root    pts/0        192.168.0.103    Sun Mar 23 20:51 - down  (02:01)
root    pts/0        192.168.0.103    Sun Mar 23 05:54 - 10:25  (04:30)
root    pts/0        192.168.0.103    Sun Mar 23 00:17 - 05:28  (05:11)
root    tty1                          Sat Mar 22 02:08 - down  (1+20:44)
reboot  system boot  2.6.32-431.el6.x Sat Mar 22 00:41 - 22:52 (1+22:11)

wtmp begins Sat Mar 22 00:41:20 2014
[root@michaels UsmyNaerme]#

allend 03-29-2014 08:05 AM
Quote:
I would like view a list of who logged on to my server.
You can also use the 'w' command.

You can look at network connections using the 'netstat' command.

pts refers to pseudo terminals (i.e. not hardware). In your listing they are probably shells opened in a GUI.

tty1 is the first terminal. You probably also have tty2 to tty6. If you use Alt-F[2-6] in tty1, you will probably get tty[2-6].

down means that system has gone down, probably for reboot.

The +1 means to add a day i.e. 24hours.

Quote:
root tty1 Thu Mar 27 00:04 - 00:28 (1+00:24)
So you had a root shell open on the primary terminal for over 24 hours. Not a good practice from a security point of view.

NotionCommotion 03-29-2014 08:34 AM
Thanks allend,

Good point about having root open for over 24 hours. This is just a test server for learning purposes, and I will flatten in a couple of days and start over. That being said, no use getting in bad habits.

Both 'last' and 'w' both don't show the remote user's IP. How is this done? Or would I see something different than 192.168.0.103 if I was remote?

In regards to 'netstat', should it be replaced by 'ss'? Also, what do the foreign IP connections mean which I show below in bold?

THanks


[root@michaels myUserName]# ss
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 127.0.0.1:48938 127.0.0.1:6379
....
ESTAB 0 0 192.168.0.215:ssh 114.111.161.23:40312
....
ESTAB 0 52 192.168.0.215:ssh 192.168.0.103:62488
....
ESTAB 0 0 127.0.0.1:6379 127.0.0.1:49188

[root@michaels myUserName]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 newlaptop.michaels.lan:ssh 218.51.174.61.dial.w:nimreg TIME_WAIT
....
tcp 0 840 newlaptop.michaels.lan:ssh 218.51.174.61.dial.w:sabams ESTABLISHED
tcp 0 0 newlaptop.michaels.lan:ssh 192.168.0.103:62488 ESTABLISHED
....
tcp 0 0 newlaptop.michaels.lan:ssh 114.111.161.23:50824 ESTABLISHED
....
tcp 0 0 localhost:6379 localhost:49188 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 9390 @/org/kernel/udev/udevd
....
[root@michaels myUserName]#

allend 03-29-2014 08:52 AM
You are getting similar information from 'ss' as you can get from 'netstat'.
Quote:
ESTAB 0 0 192.168.0.215:ssh 114.111.161.23:40312
....
ESTAB 0 52 192.168.0.215:ssh 192.168.0.103:62488
That output is showing a connection from port 40312 on a remote host with IP address 114.111.161.23 to the ssh port (port 22) on the local host with IP address 192.168.0.215.
There is also a connection from port 62488 on a remote host with IP address 192.168.0.103 to the ssh port (port 22) on the local host with IP address 192.168.0.215

unSpawn 03-29-2014 08:53 AM
Quote:
Originally Posted by NotionCommotion (Post 5143254)
(..) no use getting in bad habits.
Commendable.


Quote:
Originally Posted by NotionCommotion (Post 5143254)
Both 'last' and 'w' both don't show the remote user's IP. How is this done?
With 'last' _ use the "-wai" switches.


Quote:
Originally Posted by NotionCommotion (Post 5143254)
In regards to 'netstat', should it be replaced by 'ss'?
Whatever your system offers I'd say. Since you're into good habits ensure to always avoid resolving names, networks, addresses, ports, services and such. Not only does it give you a much clearer view of output it's also way faster.


Quote:
Originally Posted by NotionCommotion (Post 5143254)
Also, what do the foreign IP connections mean which I show below in bold?
To add to what allend said: TCP allows a connection between end points so for example for a SSH connection you'd see an ephemeral port on your side and port TCP/22 on the server side. With netstat under Linux I always use the "-antupe" switches BTW (check the outputs Process Id's / application names).

Madhu Desai 03-29-2014 09:53 AM
Quote:
Originally Posted by NotionCommotion (Post 5143222)
  1. Is last the correct way to view this information?
  2. How do I tell the IP of the remote user?
  3. What does pts/0 (or pts/1, 2) mean?
  4. tty1 is just terminal 1? Are there other terminals?
  1. Yes. But there is also another way:
    Code:
    # utmpdump /var/log/wtmp
  2. From the previous command's 6th column. Some other ways to check active connections:
    Code:
    # echo $SSH_CONNECTION
    # w
    # pinky
    # netstat -n | grep ':22'
    # lsof -i :ssh
  3. As allend already mentioned, it stands for Stands for pseudo terminal slave. The difference between TTY and PTS is the type of connection to the computer. TTY ports are direct connections to the computer such as a keyboard/mouse or a serial connection to the device. PTS connections are SSH connections or telnet connections. All of these connections can connect to a shell which will allow you to issue commands to the computer. Source:TTY vs PTS

  4. By default there are 12 ttys as mentioned in file /etc/securetty, but only 6 (1-6) are made available, which can be changed by editing /etc/init/start-ttys.conf. In RHEL tty1 (ctrl+alt+F1) is allotted to X.

Also, to find failed login attempt check /var/log/secure file, or
Code:
# utmpdump btmp


All times are GMT -5. The time now is 10:32 AM.