In the realm of Linux Digital Forensics and Incident Response (DFIR), analyzing user login activities is paramount. This process helps detect suspicious behavior, unauthorized access, and security incidents. By examining login patterns, we can uncover potential intrusions, policy violations, and other malicious activities.
Bash user logins are a critical aspect of maintaining the
security and integrity of a Linux system. Bash (Bourne Again Shell) is
the default command-line interpreter for most Linux distributions,
serving as the primary interface for users and administrators to
interact with the system. Understanding and investigating these logins
is vital for identifying anomalies and potential security breaches.
This analysis will be presented in a three-part series, progressively building your understanding. The initial installment will focus on user bash login activity. The second part will provide a practical demonstration of log analysis within a Linux environment. Finally, the third part will address service user ID security considerations.
Here's a breakdown of how to understand and investigate user logins in Linux:
1. Key Log Files for User Login Analysis
Linux systems maintain logs that record user login activities. The primary log files to examine are:
- /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS):
- Contains authentication-related logs, including successful and failed login attempts.
- Example entries:
Jan 1 12:00:00 hostname sshd[1234]: Accepted password for user1 from 192.168.1.1 port 22 ssh2
Jan 1 12:01:00 hostname sshd[1235]: Failed password for user2 from 192.168.1.2 port 22 ssh2
- /var/log/wtmp:
- Binary file that records all user logins and logouts.
- Use the last command to view its contents:
last
Output:
user1 pts/0 192.168.1.1 Mon Jan 1 12:00 - 12:30 (00:30)
user2 pts/1 192.168.1.2 Mon Jan 1 12:01 - 12:02 (00:01)
- /var/log/btmp:
- Records failed login attempts.
- Use the lastb command to view its contents:
lastb
Output:
user2 ssh:notty 192.168.1.2 Mon Jan 1 12:01 - 12:01 (00:00)
- /var/log/lastlog:
- Stores the last login time for each user.
- Use the lastlog command to view:
lastlog
Output:
Username Port From Latest
user1 pts/0 192.168.1.1 Mon Jan 1 12:00:00 +0000 2023
user2 pts/1 192.168.1.2 Mon Jan 1 12:01:00 +0000 2023
2. Commands to Investigate User Logins
Here are some useful commands to analyze user login activities:
- last:
- Displays a list of recent logins and logouts.
- Example:last -n 10 # Show the last 10 login records
- lastb:
- Displays failed login attempts.
- Example: lastb -n 5 # Show the last 5 failed login attempts
- lastlog:
- Shows the last login time for all users.
- Example: lastlog -u user1 # Check last login for a specific user
- who:
- Displays currently logged-in users.
- Example:
- who
- w:
- Shows who is logged in and what they are doing.
- Example: w
- grep for specific users or IPs:
- Search for specific login activities in log files.
- Example:
grep "user1" /var/log/auth.log
grep "192.168.1.1" /var/log/secure
3. Analyzing Suspicious Login Activity
During DFIR, you may look for the following indicators of suspicious activity:
4. Example Workflow for User Login DFIR (Second Part)
 Related to User Login){kind=link}