Find last failed login user
Introduction
In Linux, it’s important to keep track of user logins for security purposes. Sometimes, you may need to check the last successful or failed login for a user. In this blog post, we will discuss three ways to check the last successful/failed login user in Linux.
View current system login users
w
who
Check successful login history records
The last command is used to display a log of all successful and unsuccessful logins for a user. To check the last successful login for a user, run the following command:
last -n
Check history records of failed login attempts
lastb -n
Display login information for each user
The lastlog command is used to display recent login information for all users. It reads from the /var/log/lastlog file, which contains the last login information for each user. To check the last successful login user, run the following command:
lastlog
utmpdump /var/log/wtmp
who /var/log/wtmp
Last Failed Login User
To find the last failed login user, you can use the lastb command in Linux. The lastb command shows all failed login attempts, along with the time and source IP address. The following command will display the last failed login user:
sudo lastb -i | head -1
This command will show the most recent failed login attempt, along with the source IP address and username.
Source IP Address
To find the source IP address of failed login attempts, you can use the lastb command with the -i option. This option displays the IP address of the system from which the login attempt was made. The following command will show the source IP address of the most recent failed login attempt:
sudo lastb -i | awk '{print $3}' | head -1
This command will display the source IP address of the most recent failed login attempt.
Combining Both
To combine both commands to display the last failed login user with source IP address, you can use the following command:
sudo lastb -i | head -1 | awk '{print "User:", $1, "Source IP:", $3}'
This command will display the last failed login user with source IP address.
Reference command
sudo lastb |grep ssh \
|awk '{ count[$3]++} END{ for(ip in count) print ip, ": " count[ip]}' \
|sort -nrk 3
Conclusion
Checking the last successful/failed login user in Linux is an important security measure that can help identify unauthorized access to the system. By using the last and lastb commands, you can easily check the login history of all users or a specific user. Keep in mind that this information is only available for a limited time and may not be available if the logs have been cleared. By following the steps outlined in this blog post, you can easily check the last successful/failed login user in Linux.