Monitoring Active Users and Logins: Commands who, w, last

1. Why is it important to monitor users?

Linux, like any other server (or even that evil box with websites), lets multiple users work on it at the same time. But what if your server gets breached? Or some sneaky coworker decides to "accidentally" delete important files in the middle of the night? Monitoring user activity helps us figure out who logged into the system, when, and from where, as well as what processes they were running. Think of it like a security camera, but for your server.

Main Monitoring Tools

To check out user activity on a server, Linux offers three key commands:

• who — shows the current users working in the system.
• w — gives a bit more info: what users are doing and the system load.
• last — provides the history of logins to the system.

Each of these commands has its quirks and is useful in different scenarios. Let’s go through some examples.

---

2. Command who

The who command shows a list of users that are currently logged into the system. It's like a "sign-in book" where you can take a quick look to see who's hanging out on the server right now.

who

Example of the command output:

user1    pts/0        2023-10-20 09:10 (192.168.1.100)
root     pts/1        2023-10-20 09:15 (192.168.1.101)

What we see here:

• The username user1, root.
• The terminal they are connected through pts/0, pts/1.
• The login time 2023-10-20 09:10.
• Where the connection is from 192.168.1.100.

Options for who:

• who -a: Also shows system info like boot time, active processes, and users.
• who am i: Displays info only about the user who ran the command.

---

3. Command w

If who just logs who logged in, then w gives more info - it tells you what the user is currently up to. This is handy to figure out if they're doing something useful or something that needs to stop right away.

w

Example output:

10:20:42 up 1 day,  5:12,  2 users,  load average: 0.00, 0.01, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
user1    pts/0    192.168.1.100    09:10    1:00   0.01s  0.01s nano app.py
root     pts/1    192.168.1.101    09:15    2:00   0.02s  0.02s htop

What's going on here:

• The top line gives system info: current time, server uptime, user count, and system load average load average.
• The table shows:
  • Usernames user1, root.
  • The environment the user is connected from pts/0, pts/1.
  • The user's IP address 192.168.1.100.
  • Time of login into the system 09:10.
  • Idle time IDLE.
  • What the user is doing right now WHAT, for example, editing file app.py using nano.

Options for w:

• w -h: Removes the table headers.
• w username: Displays info only about a specific user.

---

4. Command last

If who and w talk about the present, then last lets you look into the past. It shows the history of all logins to the system. This command reads the file /var/log/wtmp, where all user logins are recorded.

last

Example output:

user1    pts/0        192.168.1.100    Fri Oct 20 09:10 - 09:30  (00:20)
root     pts/1        192.168.1.101    Fri Oct 20 09:15 - down   (00:15)

What we can see here:

• Username user1, root.
• Terminal pts/0, pts/1.
• IP address or hostname 192.168.1.100, 192.168.1.101.
• Login time Fri Oct 20 09:10.
• Logout time 09:30 and total session time 00:20.

Options for last:

• last -n 10: Shows only the last 10 entries.
• last username: Login history for a specific user.
• last reboot: Shows when the server was rebooted.

---

5. Practical Example: Analyzing User Activity

Let's say you want to figure out who was working on the server at night to understand if anything suspicious happened. We'll start by checking the current users:

who

Now let's see what they're up to:

w

If you spot something strange (like an unknown process), you'll need to check who logged in during the night. For that, we'll use:

last

Check the records for a specific user who caught your attention:

last user1

If you notice any anomalies, like a login from an unfamiliar IP, you need to take action: restrict access, enable two-factor authentication, or block the user.

---

6. Features and typical mistakes

When working with monitoring commands, keep in mind that:

1. The log file can be cleared. If someone maliciously deletes records from /var/log/wtmp, the last command won't show anything. This is one reason it's crucial to regularly back up logs or send them to a remote server.

2. Making the output easier to understand. Sometimes the command output can be overloaded (e.g., if there are a lot of users). Use filters like grep to find the specific info you need:

   last | grep user1
   

3. Dependency on system settings. Some systems might not log login events if it's been disabled due to configuration settings. Make sure that /var/log/wtmp is being updated regularly.

How do these skills apply in practice?

• Server administration. For example, you're a company admin, and you need to keep an eye on system security to ensure no one accidentally or intentionally "breaks everything."
• Threat detection. Monitoring tools will help you spot unauthorized access attempts.
• System audit. When checking servers for compliance with security standards, these commands are often used to analyze user activity.
• Diagnostics. Noticing the server is running slow? Check out who's doing what on there!

Now you're ready to monitor your system like a boss! Just remember, system security starts with understanding what's going on under the hood.