lastb

securityLinux/Unix
The lastb command is one of the most frequently used commands in Linux/Unix-like operating systems. lastb Show listing of last bad login attempts

Quick Reference

Command Name:

lastb

Category:

security

Platform:

Linux/Unix

Basic Usage:

lastb [options] [arguments]

Common Use Cases

    Syntax

    lastb [options] [username...] [tty...]

    Options

    Option Description
    -a, --hostlast Display hostname in the last column
    -d, --dns Translate IP addresses to hostnames
    -f, --file file Use specified file instead of /var/log/btmp
    -F, --fulltimes Print full login and logout times and dates
    -i, --ip Display IP addresses instead of hostnames
    -n, --limit N Show only the last N entries
    -R, --nohostname Don't display the hostname field
    -s, --since time Display entries since the specified time
    -t, --until time Display entries until the specified time
    -w, --fullnames Display full user and domain names
    --time-format format Show timestamps in the specified format
    -h, --help Display help message
    -V, --version Display version information

    Examples

    How to Use These Examples

    The examples below show common ways to use the lastb command. Try them in your terminal to see the results. You can copy any example by clicking on the code block.

    # Basic Examples Basic
    lastb
    Show all recent failed login attempts.
    lastb -n 10
    Show only the last 10 failed login attempts.
    lastb john
    Show recent failed login attempts by user 'john'. # Advanced Examples Advanced lastb -F Show full timestamps for failed login times. lastb -a Display hostname in the last column. lastb -i Show IP addresses instead of hostnames. lastb -f /var/log/btmp.1 Show failed login information from an alternate file. lastb -s 2023-01-01 -t 2023-01-31 Show failed logins between Jan 1 and Jan 31, 2023. lastb -R Don't display the hostname field. lastb -w Display full user and domain names.

    Try It Yourself

    Practice makes perfect! The best way to learn is by trying these examples on your own system with real files.

    Understanding Syntax

    Pay attention to the syntax coloring: commands, options, and file paths are highlighted differently.

    Notes

    The 'lastb' command is a security utility that displays information about failed login attempts on a system. It reads data from the btmp log file, which records unsuccessful authentication attempts, providing a crucial tool for system administrators to monitor and respond to potential security threats. Key features of the lastb command: 1. Security Monitoring: lastb helps detect brute-force attacks, credential stuffing attempts, and other unauthorized access attempts by showing patterns of failed logins. 2. User Account Auditing: By filtering results by username, administrators can identify compromised or targeted user accounts that may require additional security measures. 3. Forensic Analysis: After a security incident, lastb can provide evidence of intrusion attempts, including timing, source IP addresses, and targeted accounts. 4. Time Range Filtering: With options like --since and --until, administrators can focus on specific time periods when investigating suspicious activities. 5. Format Flexibility: lastb offers various display formats including full timestamps, IP address display, and customizable output, making it adaptable to different analysis needs. 6. Historical Data Access: The ability to read from alternate btmp files (including rotated logs) allows for historical analysis beyond the current log file. 7. Integration with Security Tools: lastb can be incorporated into security scripts and monitoring systems to provide automated alerts for unusual failed login patterns. Common use cases for the lastb command include: - Identifying potential brute-force attacks against SSH or other services - Monitoring for unauthorized access attempts - Investigating suspicious login activities - Creating security reports and audit trails - Setting up intrusion detection alerts based on failed login thresholds - Tracking down compromised credentials - Security compliance and audit documentation It's worth noting that lastb is essentially the same as the 'last' command but reads from the btmp file (failed logins) instead of the wtmp file (successful logins). The btmp file is often only readable by root or users with sufficient privileges, as it contains sensitive security information. System administrators should regularly review the output of lastb as part of their security monitoring practices, particularly for internet-facing systems that may be subject to constant probing and authentication attempts from potential attackers.

    Related Commands

    These commands are frequently used alongside lastb or serve similar purposes:

    Use Cases

    Learn By Doing

    The best way to learn Linux commands is by practicing. Try out these examples in your terminal to build muscle memory and understand how the lastb command works in different scenarios.

    $ lastb
    View All Commands