Who Has Used My System?

It is always important to know who has logged into your Linux box. This isn't just to help track the activities of malicious users, but mostly to figure out who made the mistake that crashed the system or blew up Apache with a typographical error in the httpd.conf file.

The last Command

The most common command to determine who has logged into your system is last, which lists the last users who logged into the system. Here are some examples:

     [root@bigboy tmp]# last -100
     root     pts/0        reggae.my-web-site.org Thu Jun 19 09:26   still
     logged in
     root     pts/0        reggae.my-web-site.org Wed Jun 18 01:07 - 09:26
     (1+08:18)
     reboot   system boot  2.4.18-14         Wed Jun 18 01:07
     (1+08:21)
     root     pts/0        reggae.my-web-site.org Tue Jun 17 21:57 - down
     (03:07)
     root     pts/0        reggae.my-web-site.org Mon Jun 16 07:24 - 00:35
     (17:10)
     wtmp begins Sun Jun 15 16:29:18 2003
     [root@bigboy tmp]#

In this example someone from reggae.my-web-site.org logged into bigboy as user root. I generally prefer not to give out the root password and let all the systems administrators log in with their own individual logins. They can then get root privileges by using sudo. This makes it easier to track down individuals rather than groups of users.

The who Command

The who command is used to see who is currently logged in to your computer. Here we see a user logged as root from server reggae.my-web-site.org:

     [root@bigboy tmp]# who
     root     pts/0        Jun 19 09:26 (reggae.my-web-site.org)
     [root@bigboy tmp]#