• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to check failed or bad login attempts in Linux

by admin

Invalid login attempts can be tracked using command lastb provided the file /var/log/wtmp is present. Some of the possible causes for incorrect or bad login attempts are given below:

  • due to typo wrong password has been entered during login.
  • password has changed of user used in cron to connect via ssh.
  • If any hacker is trying to connect using random / common userid.
Last login: Sat Apr 21 16:24:24 UTC 2018 on pts/3
Last failed login: Sat Apr 21 17:44:04 UTC 2018 from 185.189.58.212.ptr.cy4n.net on ssh:notty
There was 1 failed login attempt since the last successful login.

Sample output of lastb command is given below.

# lastb -a | more
admin    ssh:notty    Sat Apr 21 17:44 - 17:44  (00:00)     185.189.58.212.ptr.cy4n.net
admin    ssh:notty    Sat Apr 21 17:44 - 17:44  (00:00)     185.189.58.212.ptr.cy4n.net
admin    ssh:notty    Sat Apr 21 17:44 - 17:44  (00:00)     185.189.58.212.ptr.cy4n.net
admin    ssh:notty    Sat Apr 21 17:44 - 17:44  (00:00)     185.189.58.212.ptr.cy4n.net
...

The commands last and lastb searches back through the file /var/log/wtmp (or the file designated by the -f flag) and displays a list of all users logged in (and out) since that file was created. You can touch this file if its not already present.

# touch /var/log/wtmp

Both last and lastb report the contents of /var/log/wtmp. The default is to report month, day, and time of the event. However, there may be multiple years of data in that file, and the month/day can be confusing. The -F flag will report the full date:

# lastb -F | more
user     ssh:notty    1.186.112.64     Sun Apr 22 03:49:47 2018 - Sun Apr 22 03:49:47 2018  (00:00)    
user     ssh:notty    1.186.112.64     Sun Apr 22 03:49:44 2018 - Sun Apr 22 03:49:44 2018  (00:00)    
user     ssh:notty    1.186.112.64     Sun Apr 22 03:49:40 2018 - Sun Apr 22 03:49:40 2018  (00:00)  
...
Note: The accounting system on your computer keeps track of usage user statistics and is kept in the current /var/log/wtmp file. That file is managed by the init and login processes.

Filed Under: Linux

Some more articles you might also be interested in …

  1. Firewalld Command line Reference (Cheat Sheet)
  2. deborphan Command Examples in Linux
  3. Beginners Guide to Tuning Profiles in CentOS/RHEL
  4. loginctl Command Examples in Linux
  5. How to create LXC container using lxcbr0 and virbr0 in CentOS/RHEL
  6. Linux OS service ‘auditd’
  7. check-language-support Command Examples in Linux
  8. vgextend Command Examples in Linux
  9. nmtui: command not found
  10. CentOS / RHEL 7 : Enable NTP to start at boot after fresh install (disable chrony)

You May Also Like

Primary Sidebar

Recent Posts

  • nixos-rebuild Command Examples in Linux
  • nixos-option: Command Examples in Linux
  • nixos-container : Command Examples in Linux
  • nitrogen Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright