Authentication logs form a vital part of server security. If you suspect a breach, they can provide a full list of every remote login attempt on your server, alongside the account, date, and timestamp. They also list each prompt that asks for a user password, such as the sudo
command, and whether or not the authentication was successful.
How to check system logins
The majority of Linux systems keep these logs at /var/log/auth.log
or /var/log/secure
. For Ubuntu, it's the former. We can view these with nano
or vim
like we would any other text file, but the following command will give us faster load times and let us easily view the file page-by-page:
sudo less /var/log/auth.log
OUTPUT: Jan 8 15:07:22 5ff8750c7437d20001bb84c5 passwd[395]: password for 'root' changed by 'root' Jan 8 15:07:42 5ff8750c7437d20001bb84c5 sshd[546]: Received signal 15; terminating. Jan 8 15:07:42 5ff8750c7437d20001bb84c5 sshd[1321]: Server listening on 0.0.0.0 port 22. Jan 8 15:07:42 5ff8750c7437d20001bb84c5 sshd[1321]: Server listening on :: port 22. Jan 8 15:08:01 5ff8750c7437d20001bb84c5 sshd[1321]: Received signal 15; terminating. Jan 8 15:08:01 5ff8750c7437d20001bb84c5 sshd[1727]: Server listening on 0.0.0.0 port 22. Jan 8 15:08:01 5ff8750c7437d20001bb84c5 sshd[1727]: Server listening on :: port 22. Jan 8 15:09:41 5ff8750c7437d20001bb84c5 sshd[1738]: error: kex_exchange_identification: read: Connection reset by peer Jan 8 15:09:46 5ff8750c7437d20001bb84c5 sshd[1739]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.161.63.100 user=root Jan 8 15:09:49 5ff8750c7437d20001bb84c5 sshd[1739]: Failed password for root from 81.161.63.100 port 54150 ssh2 Jan 8 15:14:36 5ff8750c7437d20001bb84c5 sshd[1896]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71.221.154.110 user=root Jan 8 15:14:37 5ff8750c7437d20001bb84c5 sudo: root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/less /var/log/auth.log Jan 8 15:14:37 5ff8750c7437d20001bb84c5 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0) (END)
Above is a cut-down example from a server that was just created. You can see that it also lists the initial password change when the server was programmatically created.
Once you're ready, press q
to quit the document.
View the most recent logins
If you just want to check the most recent logins, it's even simpler. Back in the command-line, type last
and press Enter.
The output will look something like this:
root pts/0 12.34.567.89 Fri Jan 8 15:30 still logged in root pts/0 12.34.567.89 Fri Jan 8 15:13 - 15:29 (00:16) reboot system boot 5.4.0-1009-kvm Fri Jan 8 15:07 still running
The last
tool pulls its data from /var/log/wtmp
, which is written to each time a user logs in. It'll show username, tty, IP address, date and time, and session start/stop times.
If that's too verbose, you can apply filters to the command with the following syntax:
last [OPTIONS] [USER] [<TTY>...]
Let's look at an example. If we wanted to view all of the logins from the root user, we could run:
last root
OUTPUT: root pts/0 12.345.678.90 Fri Jan 8 15:30 still logged in root pts/0 12.345.678.90 Fri Jan 8 15:13 - 15:29 (00:16)
Or, if we want to restrict it to a specific user and TTY:
last bitlaunch pts/1
See when users last logged in
If you notice an unauthorized change to the system, it's often useful to see when each user last logged in. This way, you can determine who made the adjustment. We can do this via the lastlog
command, which pulls data from /etc/log/lastlog
and sorts them by /etc/password
entries:
lastlog
Username Port From Latest root pts/0 12.345.678.90 Fri Jan 8 15:30:06 +0000 2021 daemon **Never logged in** bin **Never logged in** sys **Never logged in** sync **Never logged in** bitlaunch pts/1 83.253.230.46 Fri Jan 8 16:09:53 +0000 2021 hack0r pts/1 83.253.230.46 Fri Jan 8 16:10:20 +0000 2021
You'll notice quite a few users with a **Never logged in**
entry in the Latest
column. This is normal on account of them being system users.
But what if you just found out about a historical incursion or are looking for more specific information? lastlog
has several options that can be of use.
Option | Description |
-u, --user [LOGIN] | Print logs for a specific user with a specified login |
-b, --before [DAYS] | Print records older than a specified number of days |
-t, --time [DAYS] | Print records that are more recent than a specified number of days |
This is particularly useful if we want to get the last time a specific user logged in:
lastlog -u root
OUTPUT: root pts/0 12.345.678.90 Fri Jan 8 15:30:06 +0000 2021
What to look for in authentication logs
Now you know how to view authentication logs, it's important to develop a pro-active mindset. Don't just run these commands if you notice something strange β make it a habit to check regularly.
When you do so, look out out for the following:
Users who are requesting sudo privileges to perform tasks that are outside their scope of work Is one user attempting to access or modify the content of another? Was a password changed unexpectedly?
Logins from unusual IP addresses, or at times that don't line up with your timezone/work hours
Multiple failed login attempts from a single IP β this could indicate a brute force attack and the IP may need to be blocked
Logins from users you don't recognise Attackers often create a new account so that they can perform actions without as much oversight
Of course, there's one issue with all this. If an attacker gains access to your root account, they will be able to modify or delete your authentication log. An absence of authentication logs can be very telling, but it also doesn't leave you with much information about the incursion.
As a result, it's vital that you keep your root account secure. Though they can help in the case of a breach, authentication logs are far from a replacement for basic security.