lastb

List last logged in users

$ sudo lastb

$ sudo lastb [[-s|--since]] [YYYY-MM-DD]

$ sudo lastb [[-t|--until]] [YYYY-MM-DD]

$ sudo lastb [[-p|--present]] [hh:mm]

$ sudo lastb [[-d|--dns]]

lastb [options] [username...]

-a, --hostlast
    Displays the hostname in the last column. This can be useful when the default output truncates long hostnames or when you want the hostname explicitly at the end.

-d, --dns
    Translates IP addresses found in the log file back into their corresponding hostnames using DNS lookups. This makes the output more human-readable, though it can slow down the command execution.

-f, --file <file>
    Instructs lastb to read data from the specified <file> instead of the default /var/log/btmp. This is useful for analyzing archived log files or custom log locations.

-F, --fulltimes
    Prints full login and logout times and dates, including the year and seconds. By default, lastb might show a more condensed time format.

-i, --ip
    Displays the IP address in the last column instead of the hostname. This is helpful for quick network identification or when DNS resolution is not desired.

-n, --limit <number> or -<number>
    Limits the output to the specified <number> of lines (entries). This is useful for viewing only the most recent failed attempts.

-R, --nohostname
    Suppresses the display of the hostname field in the output. This can simplify the output if the hostname information is not needed.

-s, --since <time>
    Displays entries recorded since the specified <time>. The time can be specified in various formats, such as YYYYMMDDHHMMSS, YYYY-MM-DD HH:MM:SS, or relative formats like 'yesterday', 'now - 1 day', etc.

-t, --until <time>
    Displays entries recorded up to the specified <time>. Similar to --since, the time can be in various absolute or relative formats.

-w, --fullnames
    Displays full usernames and hostnames. This ensures that no names are truncated in the output, which can be useful for clarity.

The lastb command displays a list of all unsuccessful (failed) login attempts on the system. It reads its information from the /var/log/btmp file, which is a binary log file maintained by the system to record bad login attempts. This command is crucial for security auditing, allowing administrators to monitor who tried to log in unsuccessfully, from where (IP address or hostname), and when. By analyzing failed login attempts, one can detect potential brute-force attacks or unauthorized access attempts. The output typically includes the username that attempted to log in, the terminal (TTY), the remote host or IP address from which the attempt was made, and the timestamp of the failed attempt. Unlike the last command which tracks successful logins, lastb specifically focuses on security-relevant failed attempts.

Requires read permissions for the /var/log/btmp file, which is typically restricted to the root user or members of a specific group (e.g., 'adm' or 'utmp').
The /var/log/btmp file can grow very large on systems experiencing frequent failed login attempts, potentially affecting the performance of lastb or consuming significant disk space.
The accuracy of the displayed information depends on the integrity of the btmp file and the proper functioning of the system's logging mechanisms.
Times displayed are based on the system's local time zone at the moment the log entry was recorded, not necessarily the current system time zone.

By default, lastb reads its information from the binary log file located at /var/log/btmp. This file is managed by the system and records all failed login attempts. It is not human-readable directly and should only be accessed via utilities like lastb.

Monitoring lastb output is a critical security practice. A high volume of failed login attempts from a single IP address or against specific usernames can indicate a brute-force attack. Regular review of lastb can help identify unauthorized access attempts and inform security measures.

The lastb command is part of the util-linux project, a collection of essential Linux system utilities. It serves as a companion to the last command, both of which trace their lineage back to traditional Unix systems (System V). The concept of separate log files for successful (wtmp) and unsuccessful (btmp) logins, and utilities to parse them, has been a standard feature for system auditing and security for decades.

last(1), wtmp(5), btmp(5), utmp(5), who(1)