Who was logged in linux

UNIX / Linux List Current Logged In Users

H ow do I print the user names of users currently logged in to the current UNIX / Linux host / server from a command prompt?

You need to use any one of the following command line tools to list currently logged in users on Linux or Unix-like systems.

Tutorial details
Difficulty level	Easy
Root privileges	Yes
Requirements	w or who command on Linux and Unix
Est. reading time	5m

The following two file keep login records on Linux and Unix-like systems:

• /var/run/utmp – Keeps and allows us to discover information about who is currently using the system. Please note that there may be more L inux and Unix users currently using the system, because not all programs use utmp logging . In other words, poorly written app, hidden programs, malware, and other bad stuff will not be useful to list logged in users.
• /var/log/wtmp – Keeps records all logins and logouts.

We simply cannot read these files using cat command/grep command/egrep command as file is in binary database format. Hence, we use the following commands to find currently logged in users in Linux and Unix-like systems.

Linux Command To List Current Logged In Users

1. w command – Shows information about the users currently on the machine, and their processes.
2. who command – Display information about users who are currently logged in.
3. users command – See the login names of the users currently on the system, in sorted order, space separated, on a single line. It reads all information from /var/run/utmp file.

How to find currently logged in users in Linux

Open a terminal (or login into remote server using ssh command) and type the following commands.

Using w command to list current logged in users under Unix or Linux

Open the terminal application and then type the w command:
$ w

Fig.01: w command in action.

Understanding w command outputs

From Fig.01 we see the following for each user:

• USER – Linux or Unix login name.
• TTY – The tty name.
• FROM The remote host or IP address.
• @Login – Login time.
• IDEL – Idle time.
• JCPU – The JCPU time is the time used by all processes attached to the tty. However, it does not include past background jobs, but does include currently running background jobs.
• PCPU – The PCPU time is the time used by the current process, named in the “what” field.
• WHAT – The command line of that users current process.

To see info about a user named tom, enter:
$ w tom
Tell w command not print header:
$ w -h
$ w —no-header
We can also ignore current process username by passing the -u or —no-current to the w command:
$ w -u
$ w —no-current
Want to see remote hostname field? Try:
$ w -f
Show IP address instead of hostname for from field:
$ w -i
We can also old style output. In other words old outputs prints blank space for idle times less than one minute:
$ w -o

Display all logged in users using who command

The who command works on all Unix like operating systems such as macOS, *BSD, Linux and so on. The syntax is pretty simple:
# who
Here is what we see:

The who command displays the following information:

• root – The username
• pts/0 – Type of the terminal device. In this example, we see pseudoterminal pts/0 used by root user.
• 2013-03-12 15:10 – User login date and time stamp.
• (10.1.3.177) – The remote IP address from which the user logged into this server.

We can pass the -a option to who command as follows to see time of last system boot, display dead processes, system login processes, active processes spawned by init/systemd, print current runlevel, print last system clock change, show user’s message status, and list users logged in to Linux or Unix box:
# who -a
Here is output from older Linux system (pre Systemd):

Sample outputs from Systemd based Linux sysetem:

Getting help with the whois command

You can pass the following options to the who command (taken from the who command man page):

• No ads and tracking
• In-depth guides for developers and sysadmins at Opensourceflare✨
• Join my Patreon to support independent content creators and start reading latest guides:
  • How to set up Redis sentinel cluster on Ubuntu or Debian Linux
  • How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)
  • How to set up Mariadb Galera cluster on Ubuntu or Debian Linux
  • A podman tutorial for beginners – part I (run Linux containers without Docker and in daemonless mode)
  • How to protect Linux against rogue USB devices using USBGuard

Join Patreon ➔

users command

Open a terminal or login over the ssh session and enter the following users command:
$ users
Output who is currently logged:

Vieing logged in users with last command

Want to see a listing of last logged in users? Use the last command to lookup binary database called /var/log/wtmp and displays a list of all users logged in (and out) since that file was created. For instance see history for user named ‘vivek’:
$ last vivek

Источник

How to show current logged in users in Linux

All user names are stored in /etc/passwd file and can be displayed with help of cat command or grep command/egrep command:
cat /etc/passwd
grep ‘^userNameHere’ /etc/passwd
grep ‘^tom’ /etc/passwd
Let us see all examples and usage in details.

How to show current logged in users in Linux

• The current time ( 22:11:17 )
• How long the Linux server has been running (18 days)
• How many users are currently logged on Linux (2 users)
• The system load averages for the past 1, 5, and 15 minutes (1.01, 1.04, 1.05)

The following info displayed for each current logged in user:

• No ads and tracking
• In-depth guides for developers and sysadmins at Opensourceflare✨
• Join my Patreon to support independent content creators and start reading latest guides:
  • How to set up Redis sentinel cluster on Ubuntu or Debian Linux
  • How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)
  • How to set up Mariadb Galera cluster on Ubuntu or Debian Linux
  • A podman tutorial for beginners – part I (run Linux containers without Docker and in daemonless mode)
  • How to protect Linux against rogue USB devices using USBGuard

Join Patreon ➔

• sweta – Login name
• pts/10 – The tty name
• minitx – The remote host/desktop/laptop name
• 22:11 – Login time
• 5.00s – Idle time
• 0.04s – JCPU (it the time used by all processes attached to the tty. It does not include past background jobs, but does include currently running background jobs.)
• 0.02s – PCPU (it is the time used by the current process, named in the “what” field.)
• vim replicant.py – The command line of their current process

Find out who you are currently logged in as on Linux

Execute the following command:
whoami
Another option is to just type the following id command:
id

Use the whoami and id commands to find out who you are currently logged in as on Linux based system

Linux show who is logged on

Conclusion

This page showed how to find out current logged in users in Linux and what they are doing from the terminal. For more info see man pages using the man command:
man w
man who
man whoami

🐧 Get the latest tutorials on Linux, Open Source & DevOps via

Источник

How can I find out who is logged on my UNIX / Linux system?

Q . How do I display who is on the UNIX / Linux system?

A . On a Linux (on Solaris/FreeBSD or any other UNIX) system, many users will be sharing the same server.

Users will use telnet (outdated and insecure) or ssh (secure and highly recommended) to login remotely.

So if you want to find out your friend or a coworker is logged in or not, use the following commands.

If you want to find out who’s logged in on the Linux server including what time they logged in and from which network computer then you can use who command:

• No ads and tracking
• In-depth guides for developers and sysadmins at Opensourceflare✨
• Join my Patreon to support independent content creators and start reading latest guides:
  • How to set up Redis sentinel cluster on Ubuntu or Debian Linux
  • How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)
  • How to set up Mariadb Galera cluster on Ubuntu or Debian Linux
  • A podman tutorial for beginners – part I (run Linux containers without Docker and in daemonless mode)
  • How to protect Linux against rogue USB devices using USBGuard

Join Patreon ➔

who command

show who is logged on

who commands works with almost all Linux and UNIX like oses. It show who is logged on to your system. It displays information about currently logged in users. By default, this includes the login name, tty name, date and time of login and remote hostname if not local.
$ who
Output:

Sometime you just want to find out if user raj logged in or not then you can use grep command:

Try out following command if you have more than 20+ users logged in (so that you can see one page of logged in users at a time):

🐧 Get the latest tutorials on Linux, Open Source & DevOps via

Источник

4 Ways to Identify Who is Logged-In on Your Linux System

This article is written by Hari Haran.

As a system administrator, you may want to know who is on the system at any give point in time. You may also want to know what they are doing. In this article let us review 4 different methods to identify who is on your Linux system.

1. Get the running processes of logged-in user using w

w command is used to show logged-in user names and what they are doing. The information will be read from /var/run/utmp file. The output of the w command contains the following columns:

• Name of the user
• User’s machine number or tty number
• Remote machine address
• User’s Login time
• Idle time (not usable time)
• Time used by all processes attached to the tty (JCPU time)
• Time used by the current process (PCPU time)
• Command currently getting executed by the users

Following options can be used for the w command:

• -h Ignore the header information
• -u Display the load average (uptime output)
• -s Remove the JCPU, PCPU, and login time.

2. Get the user name and process of logged in user using who and users command

who command is used to get the list of the usernames who are currently logged in. Output of the who command contains the following columns: user name, tty number, date and time, machine address.

To get a list of all usernames that are currently logged in, use the following:

Users Command

users command is used to print the user name who are all currently logged in the current host. It is one of the command don’t have any option other than help and version. If the user using, ‘n’ number of terminals, the user name will shown in ‘n’ number of time in the output.

3. Get the username you are currently logged in using whoami

whoami command is used to print the loggedin user name.

whoami command gives the same output as id -un as shown below:

who am i command will display the logged-in user name and current tty details. The output of this command contains the following columns: logged-in user name, tty name, current time with date and ip-address from where this users initiated the connection.

Also, if you do su to some other user, this command will give the information about the logged in user name details.

4. Get the user login history at any time

last command will give login history for a specific username. If we don’t give any argument for this command, it will list login history for all users. By default this information will read from /var/log/wtmp file. The output of this command contains the following columns:

• User name
• Tty device number
• Login date and time
• Logout time
• Total working time

This article is written by Hari Haran. He is working in bk Systems (p) Ltd, and interested in contributing to the open source. The Geek Stuff welcomes your tips and guest articles.

Источник

How to Check Linux Login History

If you have a Linux server, there is a possibility that you have several users accessing the system. You may want to know who is logged on your system, when a particular user logged to the Linux system. You may also want to know from which IP address your system was accessed.

Even if you don’t have multiple users, someone probably have tried to access your Linux server. Trust me, this may sound weird but it’s a common thing these days for bots to try and access your Linux servers. Don’t believe me? Just check the bad login attempts on your server to see if someone tried to login to your system.

Let me show you how to view the Linux login history so that you are aware of who is accessing your system and from where.

Viewing Linux login history

Linux is very good at keeping logs of everything that goes on your system. Quite naturally, it also stores logs about login and login attempts. The login information is stored in three places:

• /var/log/wtmp – Logs of last login sessions
• /var/run/utmp – Logs of the current login sessions
• /var/log/btmp – Logs of the bad login attempts

Let’s see these things in a bit detail.

1. View history of all logged users

To view the history of all the successful login on your system, simply use the command last.

The output should look like this. As you can see, it lists the user, the IP address from where the user accessed the system, date and time frame of the login. pts/0 means the server was accessed via SSH.

The last line of the output tells you the when was the wtmp log file was created. This is important because if the wtmp file was deleted recently, last command won’t be able to show history of the logins prior to that date.

You may have a huge history of login sessions so it’s better to pipe the output through less command.

2. View login history of a certain user

If you just want to see the login history of a particular user, you can specify the user name with last command.

You’ll see the login information of only the selected user:

3. Display IP addresses in login history instead of hostname

You couldn’t see it in the previous output but by default, last command shows the hostname instead of the IP address of the user. If you are on a sub-network, you’ll probably see only the hostnames.

You can force to display the IP addresses of the previously logged users with the -i option.

4. Display only last N logins

If your system has a good uptime, perhaps your login history would be huge. As I mentioned earlier, you can use the less command or other file viewing commands like head or tail.

Last command gives you the option to display only certain number of login history.

Just replace N with the number you want. You can also combine it with the username.

5. View all the bad login attempts on your Linux server

Now comes the important part: checking the bad login attempts on your server.

You can do that in two ways. You can either use the last command with the btmp log file:

or you can use the lastb command:

Both of these commands will yield the same result. The lastb is actually a link to the last command with the specified file.

Bad logins could be an incorrect password entered by a legitimate user. It could also be a bot trying to brute force your password.

You have to analyze here and see if you recognize the IPs in the log. If there has been too many login attempts from a certain IP with user root, probably someone is trying to attack your system by bruteforcing.

You should deploy Fail2Ban to protect your server in such cases. Fail2Ban will ban such IPs from your server and thus giving your server an extra layer of protection.

Conclusion

I hope this tutorial teach you to view login history in Linux and now you can use this knowledge to better manage and protect your Linux system.

If you liked this article, please share it on social media and subscribe to our newsletter for more Linux related tutorials.

Источник