Viewing login attempts

Open an ssh port to the internet and in a short time you will see all kinds of login attempts. There will be repeated attempts to access your system using usernames such as "admin" and "root" and others that are presumably left unguarded on systems somewhere. There are all kinds of simple steps to take to ensure that these attempts are not successful and that they don't overwhelm your system (such as using fail2ban). The log files auth.log and syslog (found in /var/log) will be full of attempts, but how do you look to see if anyone has successfully logged in?

Login attempts and user connections to the system are tracked in the log files wtmp and btmp, but these files are in a binary format and are not directly readable like text log files. To access them, use the last utility. To get the most recent logins to the system (stored in wtmp):

last

To look in an older version of the file found in /var/log:

last -f /var/log/wtmp.1

To look at the most recent failed logins (stored in btmp):

sudo lastb

or

sudo last -f /var/log/btmp

(There are different permissions on btmp and wtmp, so looking at the failed logins requires a sudo, or running it as root.)

And to look at older btmp files to see older failed logins:

sudo lastb -f /var/log/btmp.1

or

sudo last -f /var/log/btmp.1

A quick scan through the output of last will tell you everyone who has logged in recently, and you can look for unauthorized or unexpected entries.