Finding latest successful logins and failed attempts to a CentOS server
In Linux, the last
command shows successful login attempts and displays session information (pts, source, date and length).
The lastb
command records all bad login attempts. Both share the same man
page, but the difference is that last
reads the binary /var/log/wtmp
file, and lastb
reads the /var/log/btmp
file by default.
The range of these files depends on your log rotation schedule, but it should span a few weeks. Most distributions will rotate /var/log/wtmp
monthly, so you can read a previous record, usually listed as /var/log/wtmp.1
by specifying the file with the -f
parameter... last -f /var/log/wtmp.1
The question is here offtopic, but a very short answer: maybe you should just check /var/log/secure (e.g. grep for "failed").