lastb is a command-line tool that shows a listing of last logged in users, specifically for failed login attempts. It is a part of the syslog package and it reads the binary file that contains the list of failed login attempts, usually located at /var/log/btmp.
The lastb command provides a list of all the failed login attempts on the system, including the date and time of the attempt, the username used, and the IP address or hostname of the remote system that attempted to log in. The output can be useful for security purposes, as it can help identify potential intrusion attempts or malicious activity.
By default, the lastb command will show the most recent failed login attempts. You can also specify a time range or a specific username to filter the output. By using the -f option, you can specify a different location of the btmp file. It’s worth noting that the btmp file only keeps track of failed login attempts. Successful login attempts are recorded in the /var/log/wtmp file, and can be displayed with the last command.
lastb Command Examples
1. Show a list of all last logged in users:
# sudo lastb
2. Show a list of all last logged in users since a given time:
# sudo lastb --since YYYY-MM-DD
3. Show a list of all last logged in users until a given time:
# sudo lastb --until YYYY-MM-DD
4. Show a list of all logged in users at a specific time:
# sudo lastb --present hh:mm
5. Show a list of all last logged in users and translate the IP into a hostname:
# sudo lastb --dns
In summary, lastb is a useful command-line tool for security administrators and system administrators who need to monitor failed login attempts on a Linux system. It can help identify potential security breaches and take appropriate action.