lastb Command in Linux
lastb is a Linux command that is used to display a list of failed login attempts on the system. It reads the information from the /var/log/btmp file, which logs all unsuccessful login attempts. This command is helpful for system administrators who want to monitor and investigate unauthorized access attempts.
When you run the lastb command, you can see details such as username, terminal, date, time and the IP address from which the login attempt was made. This is vital for spotting potential security threats and implementing the appropriate measures to protect the system.
Table of Contents
Here is a comprehensive guide to the options available with the lastb command −
Syntax of lastb Command
The basic syntax for the Linux lastb command is as follows −
lastb [options] [username...] [tty...]
Where −
- [options] are various options used to customize the output.
- [username...] specify one or more usernames to filter the results.
- [tty...] specify one or more terminal types to filter the results.
lastb Command Options
The following are some lastb command options that can be used at any time −
| Option | Description |
|---|---|
| -a, --hostlast | Show the hostname in the final column. This is particularly handy when used with the -d flag. |
| -d, --dns | Convert the IP address back to its hostname for remote logins. |
| -f file | Specify an alternative file in place of /var/log/btmp. |
| -F, --fulltimes | Display complete login and logout timestamps. |
| -i, --ip | Show the IP address using the standard dotted-decimal format. |
| -n, --limit <num> | Display num lines. |
| -R, --nohostname | Hide the hostname field from being displayed. |
| -s, --since <time> | Show the login status starting from the specified time. |
| -t, --until <time> | Show the login status starting until the specified time. |
| -p, --present <time> | Show the login status as of the specified time. |
| -w, --fullnames | Show the complete user and domain names in the results. |
| -x, --system | Show entries related to system shutdowns and changes in run levels. |
Examples of lastb Command in Linux
Letâs explore some practical examples of the lastb command on Linux −
1. List All Failed Login Attempts
The basic use of the lastb command is to view a list of all failed login attempts on the system. This list includes the usernames, terminal names, IP addresses, and the time of the failed attempts, which can be achieved via the following command −
sudo lastb
2. Display a Specific Number of Entries
If you want to limit the output to a specific number of entries, you can use the -n option followed by the desired number. This is useful when you only need to see a few recent failed login attempts. For example, to show the last 2 failed login attempts, use the command −
sudo lastb -n 2
3. Hide Hostnames
Sometimes, you might prefer not to display the hostname field in the output. This can be done using the -R option, which omits the hostname information. To hide hostnames, run the following command −
sudo lastb -R
4. Show Full Timestamps
To display the failed login times with their corresponding dates, you can use the -F option. This provides a more detailed timestamp for each failed attempt, which can be helpful for precise tracking. Use the command below to show full timestamps −
sudo lastb -F
5. Show Failed Login Attempts Since a Specific Date
If you want to filter the results to show only the failed login attempts since a specific date, you can use the --since option followed by the date. For example, to show failed login attempts since January 1, 2024, use the command −
sudo lastb --since 2024-01-01
6. Show Failed Login Attempts Until a Specific Date
Similarly, to filter the results to show only the failed login attempts up to a specific date, you can use the --until option followed by the date. For example, to show failed login attempts until January 1, 2024, use the command −
sudo lastb --until 2024-01-01
7. Show Failed Login Attempts from a Specific IP Address
To filter the results to show failed login attempts from a specific IP address, you can use the -i option followed by the IP address. For example, to show failed login attempts from IP address 192.168.1.100, use the command −
sudo lastb -i 192.168.1.100
8. Show Failed Login Attempts and Translate IP Addresses into Hostnames
To display the failed login attempts and translate the IP addresses into hostnames, you can use the --dns option. This can be helpful for identifying the source of the failed attempts. Use the command −
sudo lastb --dns
Conclusion
The lastb command is an essential tool for system administrators aiming to monitor failed login attempts and enhance system security. In this tutorial, weâve explored its basic syntax, various options, and practical examples.
Whether you need to view all failed login attempts, filter by specific dates, or check the history for a particular user, lastb provides a robust and efficient solution. This command is invaluable for managing and auditing access attempts on Linux systems, and helps you maintain a secure and well-monitored environment.