7.17 last:显示用户登录列表
7.17.1 命令详解
【命令星级】 ★★★★★
【功能说明】
last命令能够从日志文件/var/log/wtmp读取信息并显示用户最近的登录列表。
【语法格式】
last [option]
last [选项]
**说明:**在last命令以及后面的选项里,每个元素直接都至少要有一个空格。
【选项说明】
表7-18针对该命令的参数选项进行了说明。
表7-18 last命令的参数选项及说明
7.17.2 使用范例
**范例7-31:**显示用户最近登录的列表。
[root@centos7 ~]# last #会显示很多行
root pts/1 10.0.0.1 Sun Oct 25 22:03 still logged in
root pts/1 10.0.0.1 Sun Oct 25 21:57 - 21:57 (00:00)
root pts/1 10.0.0.1 Sun Oct 25 21:57 - 21:57 (00:00)
root pts/0 10.0.0.1 Sun Oct 25 15:00 still logged in
reboot system boot 3.10.0-1127.19.1 Sun Oct 25 14:57 - 22:11 (07:13)
root pts/2 10.0.0.1 Sat Oct 24 21:57 - down (00:41)
root pts/0 10.0.0.1 Sat Oct 24 20:52 - down (01:46)
root pts/0 10.0.0.1 Sat Oct 24 20:52 - 20:52 (00:00)
root pts/0 10.0.0.1 Sat Oct 24 20:49 - 20:52 (00:03)
root pts/1 10.0.0.1 Sat Oct 24 20:49 - down (01:49)
reboot system boot 3.10.0-1127.19.1 Sat Oct 24 20:49 - 22:39 (01:50)
root pts/1 10.0.0.1 Sat Oct 24 20:48 - crash (00:01)
root pts/1 10.0.0.1 Sat Oct 24 20:46 - 20:47 (00:01)
root pts/1 10.0.0.1 Sat Oct 24 20:44 - 20:46 (00:01)
root pts/0 10.0.0.1 Sat Oct 24 20:44 - crash (00:04)
reboot system boot 3.10.0-1127.19.1 Sat Oct 24 20:44 - 22:39 (01:55)
root pts/0 10.0.0.1 Sat Oct 24 20:42 - down (00:01)
root pts/0 10.0.0.1 Sat Oct 24 20:42 - 20:42 (00:00)
root pts/0 10.0.0.1 Sat Oct 24 20:37 - 20:42 (00:04)
root pts/1 10.0.0.1 Sat Oct 24 15:52 - down (04:51)
root pts/0 10.0.0.1 Sat Oct 24 15:45 - 20:37 (04:52)
reboot system boot 3.10.0-1127.19.1 Sat Oct 24 15:44 - 20:44 (04:59)
root pts/0 10.0.0.1 Sat Oct 24 15:43 - down (00:00)
root pts/0 10.0.0.1 Sat Oct 24 14:10 - 15:43 (01:33)
reboot system boot 3.10.0-1127.19.1 Sat Oct 24 14:09 - 15:44 (01:35)
root pts/1 10.0.0.1 Fri Oct 23 15:40 - crash (22:28)
root pts/0 10.0.0.1 Fri Oct 23 14:30 - 22:20 (07:49)
reboot system boot 3.10.0-1127.19.1 Fri Oct 23 14:28 - 15:44 (1+01:16)
root pts/0 10.0.0.1 Wed Oct 21 13:22 - 21:40 (08:18)
reboot system boot 3.10.0-1127.19.1 Wed Oct 21 13:21 - 21:40 (08:19)
root pts/0 10.0.0.1 Tue Oct 20 20:02 - crash (17:19)
root pts/0 10.0.0.1 Tue Oct 20 19:29 - 19:42 (00:13)
root tty1 Tue Oct 20 19:26 - 20:03 (00:36)
reboot system boot 3.10.0-1127.19.1 Tue Oct 20 19:24 - 21:40 (1+02:16)
root pts/0 10.0.0.1 Tue Oct 20 19:11 - down (00:00)
root pts/0 10.0.0.1 Tue Oct 20 19:00 - 19:04 (00:04)
root pts/0 10.0.0.1 Tue Oct 20 18:53 - 18:59 (00:06)
root pts/0 10.0.0.1 Tue Oct 20 18:38 - 18:53 (00:15)
root pts/0 10.0.0.1 Tue Oct 20 18:35 - 18:38 (00:02)
root pts/1 10.0.0.1 Tue Oct 20 18:25 - 18:27 (00:01)
root pts/0 10.0.0.1 Tue Oct 20 18:25 - 18:25 (00:00)
root pts/0 10.0.0.1 Tue Oct 20 17:33 - 18:09 (00:36)
reboot system boot 3.10.0-1127.el7. Tue Oct 20 17:32 - 19:11 (01:38)
root pts/0 10.0.0.1 Tue Oct 20 17:28 - 17:32 (00:04)
reboot system boot 3.10.0-1127.el7. Tue Oct 20 17:27 - 17:32 (00:04)
root pts/1 10.0.0.1 Tue Oct 20 17:08 - down (00:00)
root pts/0 10.0.0.1 Tue Oct 20 17:01 - 17:08 (00:06)
root tty1 Tue Oct 20 17:01 - 17:08 (00:07)
reboot system boot 3.10.0-1127.el7. Tue Oct 20 17:01 - 17:08 (00:07)
root tty1 Tue Oct 20 16:48 - 17:00 (00:12)
root tty1 Tue Oct 20 16:44 - 16:48 (00:04)
root pts/0 10.0.0.1 Tue Oct 20 16:41 - crash (00:19)
reboot system boot 3.10.0-1127.el7. Tue Oct 20 16:37 - 17:08 (00:30)
wtmp begins Tue Oct 20 16:37:54 2020
[root@centos7 ~]# last -10 #指定显示行数,也可以通过管道配合less命令。
root pts/1 10.0.0.1 Sun Oct 25 22:03 still logged in
root pts/1 10.0.0.1 Sun Oct 25 21:57 - 21:57 (00:00)
root pts/1 10.0.0.1 Sun Oct 25 21:57 - 21:57 (00:00)
root pts/0 10.0.0.1 Sun Oct 25 15:00 still logged in
reboot system boot 3.10.0-1127.19.1 Sun Oct 25 14:57 - 22:11 (07:13)
root pts/2 10.0.0.1 Sat Oct 24 21:57 - down (00:41)
root pts/0 10.0.0.1 Sat Oct 24 20:52 - down (01:46)
root pts/0 10.0.0.1 Sat Oct 24 20:52 - 20:52 (00:00)
root pts/0 10.0.0.1 Sat Oct 24 20:49 - 20:52 (00:03)
root pts/1 10.0.0.1 Sat Oct 24 20:49 - down (01:49)
wtmp begins Tue Oct 20 16:37:54 2020
**范例7-32:**显示指定用户的登录情况。
[root@centos7 ~]# last neteagle #显示neteagle用户的登录情况,但是neteagle用户没有登录过,因此显示为空。
wtmp begins Tue Oct 20 16:37:54 2020
7.18 lastb:显示用户登录失败的记录
7.18.1 命令详解
【命令星级】 ★★★★★
【功能说明】
lastb命令可以从日志文件/var/log/btmp中读取信息,并显示用户登录失败的记录
【语法格式】
lastb [option]
lastb [选项]
**说明:**在lastb命令以及后面的选项里,每个元素直接都至少要有一个空格。
【选项说明】
表7-19针对该命令的参数选项进行了说明。
表7-19 lastb命令的参数选项及说明
7.18.2 使用范例
**范例7-33:**显示用户登录失败的列表。
[root@centos7 ~]# lastb #需要多加注意这个命令执行的结果,如果发现未知的登录失败信息,那就要考虑系统是否遭到暴力破解登录。
stu10 pts/0 Sun Oct 25 21:12 - 21:12 (00:00)
stu09 pts/0 Sun Oct 25 20:56 - 20:56 (00:00)
stu10 pts/0 Sun Oct 25 20:55 - 20:55 (00:00)
stu10 pts/0 Sun Oct 25 20:55 - 20:55 (00:00)
stu10 pts/0 Sun Oct 25 20:54 - 20:54 (00:00)
btmp begins Sun Oct 25 20:54:58 2020
7.19 lastlog:显示所有用户的最近登录记录
7.19.1 命令详解
【命令星级】 ★★★★★
【功能说明】
lastlog命令从日志文件/var/log/lastlog中读取信息,并显示所有用户的最近登录记录,用于查看系统是否有异常登录。
7.19.2 使用范例
**范例7-34:**显示所有用户的最近登录记录。
[root@centos7 ~]# lastlog
Username Port From Latest
root pts/1 10.0.0.1 Sun Oct 25 22:03:33 +0800 2020
bin **Never logged in** #从未登录过的用户的显示。
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**
sync **Never logged in**
shutdown **Never logged in**
halt **Never logged in**
mail **Never logged in**
operator **Never logged in**
games **Never logged in**
ftp **Never logged in**
nobody **Never logged in**
systemd-network **Never logged in**
dbus **Never logged in**
polkitd **Never logged in**
tss **Never logged in**
abrt **Never logged in**
sshd **Never logged in**
postfix **Never logged in**
tcpdump **Never logged in**
neteagle pts/0 Wed Oct 21 20:26:27 +0800 2020
nginx **Never logged in**
ett **Never logged in**
tingting **Never logged in**
inca **Never logged in**
stu01 **Never logged in**
stu02 **Never logged in**
stu03 **Never logged in**
stu04 **Never logged in**
stu05 **Never logged in**
stu06 **Never logged in**
stu07 **Never logged in**
stu08 pts/0 Sun Oct 25 21:12:09 +0800 2020
stu09 **Never logged in**
stu10 **Never logged in**
#当从不登录的系统用户突然登录了,就要怀疑是否有用户侵入系统了。