Welcome to Day 17 of our Linux Security Basics series! After setting up a firewall with ufw or firewalld on Day 5, we added a strong layer of network security. Now, let’s turn our attention to what’s happening inside your system. Monitoring user activity is like having a security camera for your Linux server it helps you spot unauthorized access, track user behaviour, and respond to potential threats. Today, we’ll use three simple yet powerful commands: last, w, and who, to keep an eye on users and login activity. Let’s dive in with a story and some real-world scenarios!
Index
- Why Monitor User Activity? A SysAdmin’s Wake-Up Call
- Command 1:
last- Review Login History - Command 2:
w- Who’s Online Right Now? - Command 3:
who- A Quick Snapshot of Logged-In Users - Best Practices: Keeping Your System Safe
Why Monitor User Activity? A SysAdmin’s Wake-Up Call
Picture this: You’re a sysadmin named Jamie, managing a Linux server for a small company. One Monday morning, you notice the server is running slower than usual. Digging deeper, you discover a user account you don’t recognise has been logging in at odd hours 2 a.m., 3 a.m. from an unfamiliar IP address. Someone compromised an old account with a weak password and has been running malicious scripts! If only you had been monitoring login activity, you could have caught this sooner.
Monitoring users and logins helps you:
- Detect unauthorized access (e.g., brute force attacks or compromised accounts).
- Track user behavior for auditing or troubleshooting.
- Respond quickly to suspicious activity.
Let’s use last, w, and who to ensure Jamie’s nightmare doesn’t happen to you.
Command 1: last - Review Login History
The last command shows a history of user logins, including who logged in, when, from where, and for how long.
Real-Life Use Case: Investigating a Breach
Jamie wants to investigate the unauthorized logins on the company server.
Step 1: Run last
last
Output example:
jamie pts/0 192.168.1.10 Mon May 19 09:00 - 10:00 (01:00)
unknown pts/1 203.0.113.5 Sun May 18 02:00 - 03:00 (01:00)
root tty1 localhost Sat May 17 14:00 - 15:00 (01:00)
- jamie: Logged in from a known IP.
- unknown: Suspicious login from an unknown IP at 2 a.m.
- root: Local login, likely during maintenance.
Step 2: Narrow Down with Options
To focus on a specific user:
last unknown
To see logins from a specific IP:
last -i 203.0.113.5
Jamie uses last to confirm the unknown user logged in multiple times over the weekend. The IP address (203.0.113.5) isn’t from the company network—a red flag! Jamie disables the account and starts investigating further.
Command 2: w - Who’s Online Right Now?
The w command shows who is currently logged into the system, what they’re doing, and how long they’ve been idle.
Real-Life Use Case: Spotting Suspicious Activity in Real Time
Jamie wants to see if the intruder is still on the system while investigating.
Step 1: Run w
w
Output example:
10:41:00 up 5 days, 2:00, 2 users, load average: 0.10, 0.15, 0.20
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
jamie pts/0 192.168.1.10 09:00 0.00s 0.03s 0.01s bash
unknown pts/1 203.0.113.5 10:30 5:00 1:20 0.50s python3 script.py
- jamie: Actively working in a bash shell.
- unknown: Running a Python script, logged in from the same suspicious IP.
Step 2: Take Action
Jamie sees the unknown user is still active, running a script. To stop them, Jamie terminates the session:
sudo pkill -u unknown
By using w, Jamie caught the intruder in the act and kicked them off the system before more damage was done.
Command 3: who - A Quick Snapshot of Logged-In Users
The who command provides a simpler view of currently logged-in users, showing their username, terminal, login time, and source.
Real-Life Use Case: Routine Checks for a Shared Server
Jamie manages a shared server for a university lab where multiple students log in. She wants a quick way to see who’s online during her daily checks.
Step 1: Run who
who
Output example:
jamie pts/0 2025-05-24 09:00 (192.168.1.10)
student1 pts/1 2025-05-24 10:00 (172.16.2.15)
student2 pts/2 2025-05-24 10:15 (172.16.2.20)
All IPs are from the university network, and the users are recognised no immediate concerns.
Step 2: Add Details with Options
To see more details, use:
who -H
This adds headers for clarity.
Jamie uses who for quick checks, ensuring only authorized students are logged in. One day, she spots an unfamiliar IP, cross checks with last, and discovers a student shared their credentials prompting a security training session!
Best Practices: Keeping Your System Safe
-
Schedule Regular Checks: Run
whoorwdaily to spot unusual activity. -
Automate Monitoring: Create a script to log
lastoutput and email alerts for suspicious IPs:
#!/bin/bash
last > /var/log/login_history.log
grep "203.0.113.5" /var/log/login_history.log | mail -s "Suspicious Login Alert" admin@example.com
Save as monitor_logins.sh, make it executable (chmod +x monitor_logins.sh), and schedule with cron. For example, add to crontab to run daily at 2 a.m.:
0 2 * * * /path/to/monitor_logins.sh
-
Combine with Logs: Check
/var/log/auth.log(Debian/Ubuntu) or/var/log/secure(Red Hat) for more details on login attempts. -
Act Quickly: If you spot suspicious activity, disable accounts (
sudo passwd -l username) and investigate.
Troubleshooting: False Alarms and Missed Intruders
- False Positives: Jamie once panicked over an unfamiliar IP, but it was a student using a VPN. Cross check IPs with known users before acting.
-
Missed Activity: If
lastshows no data, ensure/var/log/wtmpisn’t corrupted. Reset it withsudo truncate -s 0 /var/log/wtmp.
What’s Next?
You’re now equipped to monitor user activity and spot potential threats! Tomorrow, on Day 18, we’ll explore Introduction to SELinux or AppArmor for Advanced Hardening, taking your security to the next level. Stay tuned!
I would love to hear your thoughts, experiences, or tips about Linux! Feel free to share in the comments and join the conversation. Connect with me on LinkedIn!
30DaysLinuxChallenge #CloudWhistler #RedHat #CloudSecurity #DevOps #Linux #OpenSource #CloudComputing #RedHatEnterpriseLinux #SystemLogs #EnterpriseIT #Observability #Logging #SysAdmin #Automation #CloudEngineer #TechForBusiness #ITSupport #SRE #CloudOps
Top comments (0)