You want to discover unusual or dangerous usage of accounts on your system: dormant user accounts, recent logins to system accounts, etc.
To print information about the last login for each user:
$ lastlog [-u username]
To print the entire login history:
$ last [username]
To print failed login attempts:
$ lastb [username]
To enable recording of bad logins:
# touch /var/log/btmp # chown --reference=/var/log/wtmp /var/log/btmp # chmod --reference=/var/log/wtmp /var/log/btmp
Attackers look for inactive accounts that are still enabled, in the hope that intrusions will escape detection for long periods of time. If Joe retired and left the organization last year, will anyone notice if his account becomes compromised? Certainly not Joe! To avoid problems like this, examine all accounts on your system for unexpected usage patterns.
Linux systems record each user's last login time in the database /var/log/lastlog. The terminal (or X Window System display name) and remote system name, if any, are also noted. The lastlog command prints this information in a convenient, human-readable format.
A history of all logins and logouts (interspersed with system events like shutdowns, reboots, runlevel changes, etc.) is recorded in the log file /var/log/wtmp. The last command scans this log file to produce a report of all login sessions, in reverse chronological order, sorted by login time.
Failed login attempts can also be recorded in the log file /var/log/btmp, but this is not done by default. To enable recording of bad logins, create the btmp file manually, using the same owner, group, and permissions as for the wtmp file. The lastb command prints a history of bad logins.
The preceding methods do not scale well to multiple systems, so see our more general solution. [Recipe 9.6]
lastlog(1), last(1), lastb(1).