How to Check User Login History in Linux?

Checking and reviewing login history can help identify unauthorized access to a system, detect suspicious activity, and prevent potential security breaches. By keeping track of login events, administrators can detect and respond to any security issues as soon as they occur. It is also an important part of auditing to track user activity and ensure that all access to sensitive data is authorized and recorded.

This article will teach you how a user login history can be checked in Linux with the following content: 

Method: Using the last Command

In this section, we will be showing you different ways to utilize the last command to check the user login history in Linux. 

Example 1: Default Behavior of last Command

One of the most common way of checking the user history is by typing the last command in the terminal as shown below:

$ last
  • gone – no logout means the user did not log out properly (e.g., by shutting down the computer or killing the login session). 
  • crash (2+15:03) means the user’s session was terminated due to a crash and has been active for 2 days and 15 hours, and 3 minutes. 
  • down (00:02) means the system went down, and the user’s session ended. 
  • 5.15.0-58-generic is the Linux kernel version currently running on your system. 
  • wtmp begins indicates the starting point of the log file that the command is reading from

Example 2: Check Login History of a Specific User

If you want to see the login history information of any specific user, then you do that by the name of that user followed by the last command as shown below:

$last foss

In the above image, “foss”  is the name of the user for which login history can be seen.

Example 3: Check Limited Number of Logins

If you want to see the limited number of logins, then you can type any specific number followed by the last command as shown below:

$ last -5

You can see in the above image that it is showing you last 5 logins only as per the written command.

Example 4: Check the Reboot Time 

If you want to check when the last time system was rebooted, then you can do that using the “w” option as shown below:

$ last -w

The reboot commands for all the logins have been displayed that can be seen in the above image.

Example 5: Check Login History for Specific Days

The below command will show you the login history of any specific number of days that you are looking for:

$ last --since -2days

The above command will display the login history for the last 2 days as the command suggests. 

Note: There is another command with the name “lastb” that shows a list of all logins, but it only shows those that ended in a bad login (e.g., incorrect password, too many attempts).

Conclusion

In Linux, the “last” and “lastb” commands can be used to check a user’s login history. By regularly checking login history, administrators can detect and prevent unauthorized access, ensuring the security and integrity of the system. This post has demonstrated how to check a user’s login history in Linux.