LinuxCommandLibrary

lastb

Show failed login attempts

TLDR

List last logged in users

$ sudo lastb
copy

List all last logged in users since a given time
$ sudo lastb [[-s|--since]] [YYYY-MM-DD]
copy

List all last logged in users until a given time
$ sudo lastb [[-t|--until]] [YYYY-MM-DD]
copy

List all logged in users at a specific time
$ sudo lastb [[-p|--present]] [hh:mm]
copy

List all last logged in users and translate the IP into a hostname
$ sudo lastb [[-d|--dns]]
copy

SYNOPSIS

lastb [OPTION]... [NAME...]

PARAMETERS

-a, --host
    Display hostname of remote host (implies -x)

-d, --dns
    Display DNS-resolved hostname (implies -a)

-F, --full-time
    Show full login times and dates

-i, --ip
    Display IP address of remote host

-n, --limit=NUM
    Limit to NUM lines read (default 10k)

-w, --wtmp-file=FILE
    Read attempts from FILE (/var/log/btmp default)

-x, --extended
    Display extended information

-h, --help
    Display help and exit

-V, --version
    Output version information and exit

DESCRIPTION

lastb is a Linux utility that examines the /var/log/btmp file to display records of failed login attempts. This binary log file, maintained by the system's authentication mechanisms like PAM or the shadow suite, records events such as incorrect passwords, invalid users, or authentication failures.

The output mimics the last command's format but focuses exclusively on bad logins. Each entry typically includes: the username, terminal (e.g., pts/0), remote host or IP, start time of the attempt, and duration if applicable. Entries are shown in reverse chronological order (newest first).

Key features include filtering by username, limiting output lines with -n, specifying alternate log files via -w, and enhancing host display with -a (hostname), -d (DNS-resolved), or -i (IP). -F provides full timestamps, while -x adds extended details.

Essential for security monitoring, lastb helps detect brute-force attacks, reconnaissance, or misconfigurations. It requires root privileges due to btmp's restrictive permissions (usually 0600 root:root). If no failed logins are recorded or the file is absent, output is empty.

CAVEATS

Requires root privileges; /var/log/btmp is 0600 root:root. Empty output if no failed logins or file missing. Does not support time ranges or per-user limits like last.

DEFAULT OUTPUT EXAMPLE

user pts/0 192.168.1.1 Fri Dec 1 12:34 still logged in
(Shows username, TTY, host/IP, date/time)

FILE LOCATION

Primary: /var/log/btmp. Rotated as /var/log/btmp.1, etc., by logrotate.

HISTORY

Introduced in early util-linux (1990s) as companion to last; integrated from shadow-utils for bad login logging.

SEE ALSO

last(1), faillog(8), lastlog(8), utmpdump(1)

Copied to clipboard