Finding latest successful logins and failed attempts to a CentOS server

security linux centos

In Linux, the last command shows successful login attempts and displays session information (pts, source, date and length).

The lastb command records all bad login attempts. Both share the same man page, but the difference is that last reads the binary /var/log/wtmp file, and lastb reads the /var/log/btmp file by default.

The range of these files depends on your log rotation schedule, but it should span a few weeks. Most distributions will rotate /var/log/wtmp monthly, so you can read a previous record, usually listed as /var/log/wtmp.1 by specifying the file with the -f parameter... last -f /var/log/wtmp.1


The question is here offtopic, but a very short answer: maybe you should just check /var/log/secure (e.g. grep for "failed").

Related

What is a patch panel?
How to stop nginx on Mac OS X
Logging a Daemon's Output with Upstart
Can Microsoft employees see my data in Azure?
bzip2 too slow. Multiple cores are avaible
How to delete all but last [n] ZFS snapshots?
How can I block hacking attempts targeting phpMyAdmin?
How to bring .vimrc around when I SSH?
I changed my TTL from 24 hours to 5 minutes. Do I need to wait 24 hours before changing the records?
What's the biggest time saver you've implemented? [closed]
Windows 2008 ignores Gratuitous ARP requests
How to allow a user to use journalctl to see user-specific systemd service logs?