lastb命令

命令用途

lastb 用于显示 Linux 系统中记录的所有失败登录尝试信息，通常用于监控未授权的访问行为。

常用用法示例

显示所有失败的登录记录
1
2
3
lastb
username tty1 192.168.1.5 Mon Oct 10 12:34 - 12:34 (00:00)
root ssh:notty 203.0.113.22 Tue Oct 11 09:15 - 09:15 (00:00)
输出所有失败登录的详细信息，包括用户名、终端/IP、登录时间和持续时间。

限制显示的记录数量

1
2
3

lastb -n 5
user1 ssh:notty 10.0.0.3 Wed Oct 12 14:20 - 14:20 (00:00)
...（仅显示最后5条记录）

通过 -n 5 仅显示最近5条失败登录记录。

显示原始IP地址（不解析主机名）
1
2
lastb -i
user2 tty2 10.0.0.7 Wed Oct 12 15:30 - 15:30 (00:00)
强制显示IP地址而非尝试解析主机名（适用于禁用反向DNS解析的场景）。
将IP地址显示在最后一列
1
2
lastb -a
user3 ssh:notty Wed Oct 12 16:40 - 16:40 (00:00) 10.0.0.9
使用 -a 将IP地址或主机名显示在输出的最后一列。
强制显示主机名解析
1
2
lastb -d
user4 ssh:notty attacker.com Wed Oct 12 17:50 - 17:50 (00:00)
-d 强制对IP地址进行反向DNS解析，显示解析后的主机名（可能增加查询时间）。
从指定文件读取日志
1
2
lastb -f /var/log/btmp.1
user5 tty3 192.168.1.10 Thu Oct 13 08:00 - 08:00 (00:00)
使用 -f 指定读取其他日志文件（默认读取 /var/log/btmp）。
隐藏主机名字段
1
2
lastb -R
user6 ssh:notty Thu Oct 13 09:10 - 09:10 (00:00)
-R 隐藏主机名/IP列，仅显示用户名和时间信息。
结合管道过滤特定用户
1
2
lastb | grep "root"
root ssh:notty 203.0.113.22 Tue Oct 11 09:15 - 09:15 (00:00)
通过管道符 | grep 过滤出特定用户（如 root）的失败登录记录。

常用参数选项

-n NUM, –limit NUM
限制输出的记录数量，例如 -n 10 仅显示最近10条记录。
-i, –ip
直接显示IP地址，禁止将IP反向解析为主机名。
-a, –hostlast
将主机名或IP地址显示在最后一列，优化输出格式。
-d, –dns
强制对IP地址进行反向DNS解析，显示主机名（可能影响性能）。
-f FILE, –file FILE
指定从自定义文件（如归档的 /var/log/btmp.1）读取登录记录。
-R, –nohostname
隐藏主机名/IP列，简化输出内容。
-t, –time FORMAT
自定义时间显示格式（需符合 strftime 格式，如 -t “%Y-%m-%d”）。
–time
显示完整的登录时间（包括年份），避免省略日期中的年份信息。

原厂文档

Name

last, lastb - show listing of last logged in users
Synopsis

last [-R] [-num] [ -n num ] [-adFiowx] [ -f file ] [ -t YYYYMMDDHHMMSS ] [name...] [tty...]
lastb [-R] [-num] [ -n num ] [ -f file ] [-adFiowx] [name...] [tty...]
Description

Last searches back through the file /var/log/wtmp (or the file designated by the -f flag) and displays a list of all users logged in (and out) since that file was created. Names of users and tty's can be given, in which case last will show only those entries matching the arguments. Names of ttys can be abbreviated, thus last 0 is the same as last tty0.

When last catches a SIGINT signal (generated by the interrupt key, usually control-C) or a SIGQUIT signal (generated by the quit key, usually control-\), last will show how far it has searched through the file; in the case of the SIGINT signal last will then terminate.

The pseudo user reboot logs in each time the system is rebooted. Thus last reboot will show a log of all reboots since the log file was created.

Lastb is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the bad login attempts.
Options

-f file

    Tells last to use a specific file instead of /var/log/wtmp. 
-num

This is a count telling last how many lines to show.

-n num

The same.
-t YYYYMMDDHHMMSS
    Display the state of logins as of the specified time. This is useful, e.g., to determine easily who was logged in at a particular time -- specify that time with -t and look for "still logged in". 
-f file
    Specifies a file to search other than /var/log/wtmp. 
-R

Suppresses the display of the hostname field.

-a

Display the hostname in the last column. Useful in combination with the next flag.

-d

For non-local logins, Linux stores not only the host name of the remote host but its IP number as well. This option translates the IP number back into a hostname.

-F

Print full login and logout times and dates.

-i

This option is like -d in that it displays the IP number of the remote host, but it displays the IP number in numbers-and-dots notation.

-o

Read an old-type wtmp file (written by linux-libc5 applications).

-w

Display full user and domain names in the output.

-x

Display the system shutdown entries and run level changes.

Notes

The files wtmp and btmp might not be found. The system only logs information in these files if they are present. This is a local configuration issue. If you want the files to be used, they can be created with a simple touch(1) command (for example, touch /var/log/wtmp).
Files

/var/log/wtmp
/var/log/btmp