Who, when, and from where? Good security practices say you should know who’s been accessing your Linux computer. We show you how.
谁,什么时候,从哪里来? 良好的安全做法表明您应该知道谁在访问您Linux计算机。 我们向您展示如何。
wtmp文件 (The wtmp File)
Linux and other Unix-like operating systems such as MacOS are very good at logging. Somewhere in the bowels of the system, there is a log for just about everything you can think of. The log file we’re interested in is called wtmp. The “w” might stand for “when” or “who”—no one seems to agree. The “tmp” part probably stands for “temporary,” but it might also stand for “timestamp.”
Linux和其他类似Unix的操作系统(例如MacOS)非常擅长记录日志。 在系统的某个地方,有一个日志记录了您可以想到的所有内容。 我们感兴趣的日志文件称为wtmp 。 “ w”可能代表“ when”或“ who”,似乎没人同意。 “ tmp”部分可能代表“临时”,但也可能代表“时间戳”。
What we do know is that wtmp is a log that captures and records every login and logout event. Reviewing the data in the wtmp log is a basic step in taking a security-minded approach to your system admin duties. For a typical family computer, it might not be so critical from a security perspective, but it is interesting to be able to review your combined use of the computer.
我们所知道的是wtmp是捕获并记录每个登录和注销事件的日志。 查看wtmp日志中的数据是采取安全意识强的方法来执行系统管理员职责的基本步骤。 对于典型的家用计算机,从安全角度看可能并不那么重要,但是能够复查您对计算机的组合使用很有趣。
Unlike many of the text-based log files in Linux, wtmp is a binary file. To access the data within it, we need to use a tool designed for that task.
与Linux中许多基于文本的日志文件不同, wtmp是二进制文件。 要访问其中的数据,我们需要使用为该任务设计的工具。
That tool is the last command.
该工具是last命令。
最后命令 (The last Command)
The last command reads data from the wtmp log and displays it in a terminal window.
last命令从wtmp日志中读取数据,并将其显示在终端窗口中。
If you type last and press Enter it will display all of the records from the log file.
如果您last键入并按Enter,它将显示日志文件中的所有记录 。
last
Each record from wtmp is displayed in the terminal window.
来自wtmp每个记录都显示在终端窗口中。
From left to right, each line contains:
从左到右,每行包含:
The username of the person who logged in.
登录用户的用户名 。
The terminal they were logged into. A terminal entry of
:0means they were logged in on the Linux computer itself.他们登录的终端 。 终端条目
:0表示它们已登录到Linux计算机本身。The IP address of the machine they were logged into.
他们登录的计算机的IP地址 。
The login time and date stamp.
登录时间和日期戳。
The duration of the session.
会话持续时间 。
The last line tells us the date and time of the earliest recorded session in the log.
最后一行告诉我们日志中最早记录的会话的日期和时间。
A login entry for the fictitious user ‘reboot’ is entered into the log each time the computer is booted up. The terminal field is replaced with the kernel version. The duration of the logged in session for these entries represents the up-time for the computer.
每次启动计算机时,将虚拟用户“重新启动”的登录条目输入到日志中。 terminal字段将替换为内核版本。 这些条目的登录会话持续时间代表计算机的正常运行时间。
显示特定数量的行 (Showing a Specific Number of Lines)
Using the last command on its own produces a dump of the entire log with most of it whizzing past the terminal window. The portion that remains visible is the earliest data in the log. This is probably not what you wanted to see.
单独使用last命令会产生整个日志的转储,其中大部分都会经过终端窗口。 保持可见的部分是日志中最早的数据。 这可能不是您想要看到的。
You can tell last to give you a specific number of lines of output. Do this by providing the number of lines you’d like on the command line. Note the hyphen. To see five lines, you need to type -5 and not 5:
您可以告诉last为您提供特定数量的输出行。 为此,请在命令行中提供所需的行数。 注意连字符。 要查看五行,您需要输入-5而不是5 :
last -5
This gives the first five lines from the log, which is the most recent data.
这给出了日志的前五行,这是最新的数据。
显示远程用户的网络名称 (Showing Network Names for Remote Users)
The -d (Domain Name System) option tells last to try to resolve remote users’ IP addresses into a machine or network name.
-d (域名系统)选项告诉last尝试将远程用户的IP地址解析为计算机或网络名称。
last -d
It isn’t always possible for last to convert the IP address to a network name, but the command will do so when it can.
last不一定总是可以将IP地址转换为网络名称,但是该命令会在可能的情况下这样做。
隐藏IP地址和网络名称 (Hiding IP Addresses and Network Names)
If you’re not interested in the IP address or network name, use the -R (no hostname) option to suppress this field.
如果您对IP地址或网络名称不感兴趣,请使用-R (无主机名)选项禁止显示该字段。
Because this gives a neater output with no ugly wraparounds, this option has been used in all of the following examples. If you were using last to try to identify unusual or suspicious activity, you would not suppress this field.
因为这提供了整洁的输出而没有令人讨厌的环绕,所以在以下所有示例中都使用了此选项。 如果您使用last尝试识别异常或可疑活动,则不会隐藏此字段。
按日期选择记录 (Selecting Records by Date)
You can use the -s (since) option to restrict the output to only show login events that took place since a specific date.
您可以使用-s (自)选项将输出限制为仅显示自特定日期以来发生的登录事件。
If you only wanted to see login events that took place from May, 26th 2019, you would use the following command:
如果您只想查看自2019年5月26日以来发生的登录事件,则可以使用以下命令:
last -R -s 2019-05-26
The output shows records with login events that took place from the time 00:00 on the specified day, up to the newest records in the log file.
输出显示具有登录事件的记录,这些记录从指定日期的时间00:00一直到日志文件中的最新记录。
搜索直到结束日期 (Searching Until an End Date)
You can use the -t (until) to specify an end date. This allows you to select a set of login records that took place between two dates of interest.
您可以使用-t (直到)指定结束日期。 这使您可以选择在两个感兴趣的日期之间发生的一组登录记录。
This command asks last to retrieve and display the login records from 00:00 (dawn) on the 26th up to the time 00:00 (dawn) on the 27th. This narrows the listing down to login sessions that took place on the 26th only.
此命令要求last检索和显示从26号的00:00(黎明)到27号的00:00(黎明)的登录记录。 这会将列表缩小到仅在26号进行的登录会话。
时间和日期格式 (Time and Date Formats)
You can use times as well as dates with the -s and -t options.
您可以将时间和日期与-s和-t选项一起使用。
The different time formats that can be used with the last options that use dates and times are (allegedly):
可以与使用日期和时间的last选项一起使用的不同时间格式为(据称):
- YYYYMMDDhhmmss YYYYMMDDhhmmss
- YYYY-MM-DD hh:mm:ss YYYY-MM-DD hh:mm:ss
- YYYY-MM-DD hh:mm – seconds are set to 00 YYYY-MM-DD hh:mm –秒设置为00
- YYYY-MM-DD – time is set to 00:00:00 YYYY-MM-DD –时间设置为00:00:00
- hh:mm:ss – date is set to today hh:mm:ss –日期设置为今天
- hh:mm – date will be set to today, seconds to 00 hh:mm –日期将被设置为今天,秒将被设置为00
- now 现在
- yesterday – time is set to 00:00:00 昨天–时间设置为00:00:00
- today – time is set to 00:00:00 今天–时间设置为00:00:00
- tomorrow – time is set to 00:00:00 明天–时间设置为00:00:00
- +5min +5分钟
- -5days -5天
Why ‘allegedly’?
为什么要“按理”?
The second and third formats in the list did not work during the research for this article. These commands were tested on Ubuntu, Fedora, and Manjaro distributions. These are derivatives of the Debian, RedHat and Arch distributions, respectively. That covers all of the main families of Linux distribution.
在本文的研究过程中,列表中的第二和第三种格式不起作用。 这些命令已在Ubuntu,Fedora和Manjaro发行版上进行了测试。 它们分别是Debian,RedHat和Arch发行版的派生。 这涵盖了Linux发行版的所有主要系列。
last -R -s 2019-05-26 11:00 -t 2019-05-27 13:00
As you can see, the command returned no records at all.
如您所见,该命令完全不返回任何记录。
Using the first date and time format from the list with the same date and times as the previous command does return records:
使用列表中的第一个日期和时间格式以及与前一个命令相同的日期和时间会返回记录:
last -R -s 20190526110000 -t 20190527130000
按相对单位搜索 (Searching By Relative Units)
You also specify time periods that are measured in minutes or days, relative to the current date and time. Here we are asking for records from two days ago up until one day ago.
您还可以指定相对于当前日期和时间的以分钟或天为单位的时间段。 在这里,我们需要从两天前到一天前的记录。
last -R -s -2days -t -1days
昨天,今天和现在 (Yesterday, Today and Now)
You can use yesterday and tomorrow as shorthand for yesterday’s date and today’s date.
您可以使用yesterday和tomorrow作为昨天和今天的缩写。
last -R -s yesterday -t today
Not that this will not include any records for today. That is the expected behavior. The command asks for records from the start date until the end date. It doesn’t include records from within the end date.
但这并不包括今天的任何记录。 那是预期的行为。 该命令要求从开始日期到结束日期的记录。 它不包括结束日期内的记录。
The now option is shorthand for “today at the current time.” To see the login events that have taken place since 00:00 (dawn) until the time when you issue the command use this command:
now选项是“今天当前时间”的简写。 要查看从00:00(黎明)到发出命令之前发生的登录事件,请使用以下命令:
last -R -s today -t now
This will show all login events right up the present time, including those that are still logged in.
这将显示当前所有的登录事件,包括仍在登录的事件。
目前的选择 (The present Option)
The -p (present) option allows you to find out who was logged in at a point in time.
-p (当前)选项使您可以确定谁在某个时间点登录。
It doesn’t matter when they logged in or out, but if they were logged into the computer at the time you specify, they will be included in the listing.
他们登录或注销的时间无关紧要,但是如果您在指定的时间登录到计算机,它们将包含在列表中。
If you specify a time without a date last assumes you mean “today.”
如果您指定没有日期的时间,则last假设为“今天”。
last -R -p 09:30
People who are still logged in (obviously) don’t have a log out time; they are described as still logged in . If the computer has not been rebooted since the time you specify it will be listed as still running.
仍在登录的人(显然)没有注销时间; 它们被描述为still logged in 。 如果自您指定的时间以来尚未重启计算机,它将被列为still running 。
If you use the now shorthand with the -p (present) option you can find out who is logged in at the time you issue the command.
如果将now简写方式与-p (当前)选项一起使用,则可以在发出命令时找出谁登录。
last -R -p now
This a somewhat long-winded way to achieve what can be accomplished using the who command.
这是一个有点漫长的路要实现的方法,可以使用who命令来完成。
lastb命令 (The lastb Command)
The lastb command deserves mention. It reads data from a log called btmp. There is a little more consensus on this log name. The ‘b’ stands for bad, but the ‘tmp’ part is still subject to debate.
lastb命令值得一提。 它从名为btmp的日志中读取数据。 关于该日志名称还有更多共识。 “ b”代表不好,但“ tmp”部分仍需争论。
lastb lists the bad (failed) login attempts. It accepts the same options as last. Because they were failed login attempts, they entries will all have a 00:00 duration.
lastb列出错误( 失败 )的登录尝试。 它接受与last相同的选项。 由于登录尝试失败,因此所有条目的持续时间均为00:00。
You must use sudo with lastb.
您必须将sudo与lastb一起使用。
sudo lastb -R
事情的最后决定 (The Last Word on the Matter)
Knowing who has logged into your Linux computer, and when, and from where is useful information. Combining this with the details of failed login attempts arms you with the first steps in investigating suspicious behavior.
了解谁登录了您Linux计算机以及何时何地登录是有用的信息。 将其与失败登录尝试的详细信息结合在一起,可以为您提供调查可疑行为的第一步。
翻译自: https://www.howtogeek.com/416023/how-to-use-the-last-command-on-linux/
958
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
