Logging In
This is…. odd.
We’re seeing a *lot* of sshd[8400]: Timeout, client not responding. So I’m trying to find out whose client is having issues. Trying to figure that, after processes are gone, I tried looking in lastlog, which is where it gets odd. lastlog shows root coming in, and it shows a security account coming in… years ago.
I see one of our users logging in a goodly number of times… but lastlog doesn’t show him. I just logged in as myself, no password, using keys… and lastlog doesn’t show me, or my manager, or anyone else.
Does anyone have any idea why lastlog’s not recording *all* logins?
mark
6 thoughts on - Logging In
You can look at /var/log/audit/audit.log to see more detail than what last shows. A nice tip is to pipe the output through another tool to convert the timestamps to human readable date and time.
tail -f /var/log/audit/audit.log | ausearch -i or tail -f /var/log/audit/audit.log | perl -pe ‘s/(\d+)/localtime($1)/e’
via https://serverfault.com/questions/327846/convert-selinux-log-date-format-from-epoch-to-normal
Also check that /var/log/wtmp is set up correctly
[smooge@smoogen-laptop ~]$ ls -lZ /var/log/wtmp
-rw-rw-r–. root utmp system_u:object_r:wtmp_t:s0 /var/log/wtmp
[smooge@smoogen-laptop ~]$ ls -l /var/log/wtmp
-rw-rw-r–. 1 root utmp 116352 2018-01-30 13:55 /var/log/wtmp
Sometimes wtmp gets rotated at the beginning of the year so there is usually another file like
/var/log/wtmp-20180117 or something.
Is it possible you are testing SSH availability from nagios, monit, or some other software that connects to the port 22 without logging in?
—
Marcelo
“¿No será acaso que esta vida moderna está teniendo más de moderna que de vida?” (Mafalda)
Marcelo Roccasalva wrote:
Ok, I guess I wasn’t clear. First, selinux is in permissive mode. Second, I, my manager, and another user have all logged into the server. Yet lastlog | grep -v Never shows only root and the years-old security account. It doesn’t show any of us.
mark
Interesting. lastlog was always my go-to. However, at least in C6, last gets it, while lastlog does not.
How odd.
mark
Did you check /var/log/secure ?
last
command not mentioning logged i9n users will raise very big red flag for me. I also would check for something benign, like full filesystem. And hard drive errors. But the very first thing I would do: check the integrity of your box – whichever host integrity tool you use…
Good luck.
Valeri