How to Monitor User Login History in Debian 12 Bookworm

In this article, we will explore different ways to monitor login activities, including system logs, built-in Linux commands, and third-party monitoring tools.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Monitoring user login history is crucial for system administration, security auditing, and compliance purposes. If you are running a Debian 12 Bookworm system, you have various tools and methods available to track user logins. In this article, we will explore different ways to monitor login activities, including system logs, built-in Linux commands, and third-party monitoring tools.

1. Understanding Linux Login Records

Linux maintains logs for user authentication, including successful and failed login attempts. The most common log files used for tracking login activity are:

  • /var/log/auth.log: Stores authentication-related messages, including SSH logins and sudo access attempts.
  • /var/log/wtmp: Keeps a record of all login and logout events.
  • /var/log/btmp: Logs failed login attempts.
  • /var/log/lastlog: Records the last login time of each user.

These logs provide insights into who accessed your system and when.

2. Checking Recent Login Sessions

The last command reads from /var/log/wtmp and provides details on past login sessions.

last

Output Explanation

username   pts/0   192.168.1.100   Wed Mar 27 10:15 - 10:50  (00:35)
username   tty1    :0              Wed Mar 27 09:00 - 09:45  (00:45)
  • username: The logged-in user.
  • pts/0 or tty1: Terminal used for login (pts for remote, tty for local login).
  • IP Address: The remote host IP if logged in via SSH.
  • Date and Time: When the login session started and ended.
  • Duration: How long the user was logged in.

To check login history of a specific user:

last username

3. Checking Failed Login Attempts

The btmp log file records failed login attempts, which can be viewed using the lastb command:

sudo lastb

If you see multiple failed attempts from an unfamiliar IP, your system may be under a brute-force attack. Consider implementing fail2ban or firewall rules to enhance security.

4. Viewing the Last Login of a User

The lastlog command displays the last login time for all users:

lastlog

To check a specific user’s last login:

lastlog -u username

5. Checking Real-time User Sessions

To see who is currently logged into the system, use:

who

or

w

The w command provides additional details such as user activity and system load.

6. Tracking Logins with journalctl

Debian 12 uses systemd, and login attempts are logged in the journal logs. Use the following command to fetch authentication logs:

sudo journalctl -u ssh.service

To filter logs for a specific user:

sudo journalctl | grep 'username'

For failed authentication attempts:

sudo journalctl -xe | grep 'Failed password'

7. Monitoring Logins in Real-Time

To continuously monitor logins in real time, use:

tail -f /var/log/auth.log

or

journalctl -f

8. Automating User Login Monitoring

You can automate login monitoring by setting up alerts using logwatch or auditd.

Using logwatch

Logwatch summarizes login activities and can send daily reports. Install it using:

sudo apt install logwatch -y

Generate a summary report:

sudo logwatch --detail high --service sshd --range today

To receive daily reports via email, configure /etc/logwatch/conf/logwatch.conf.

Using auditd

Auditd provides detailed auditing. Install it using:

sudo apt install auditd audispd-plugins -y

Enable and start the service:

sudo systemctl enable auditd --now

To monitor user logins:

auditctl -w /var/log/wtmp -p wa -k logins

Check logs using:

aureport --login -i

9. Securing Your System Against Unauthorized Logins

  • Disable root login via SSH:

    Edit /etc/ssh/sshd_config and set:

    PermitRootLogin no

    Restart SSH service:

    sudo systemctl restart ssh

  • Use fail2ban:

    sudo apt install fail2ban -y

    Enable and start fail2ban:

    sudo systemctl enable fail2ban --now

  • Implement Multi-Factor Authentication (MFA):

    Install Google Authenticator:

    sudo apt install libpam-google-authenticator -y

    Run the setup:

    google-authenticator

Conclusion

Monitoring user login history in Debian 12 Bookworm is essential for security and auditing. By utilizing built-in commands, system logs, journalctl, and automation tools like logwatch and auditd, you can effectively track user activity and enhance system security. Additionally, implementing security measures such as SSH hardening and fail2ban helps protect against unauthorized access.

Regularly reviewing login logs ensures better system management and protection against potential threats. Stay proactive in monitoring user activity to maintain a secure and stable Debian environment.


< How to Set Up Password Expiration and Policies in Debian 12 BookwormHow to Manage the sudoers File Safely Using visudo in Debian 12 Bookworm >