Tags Tags

User logins not appearing in wtmp?

June 06th, 2012 - 10:40 am ET by francis picabia | Report spam
Help Create a new topic
Today I see from logwatch report 28 sshd logins
from one user at an IP address in a different
continent than usually seen here.

When I look up this user with last command to see
if this is part of a travel pattern or perhaps their
account is compromised, I don't get any matches.
I've used last and last -f /var/log/wtmp.1
with the user name and there are no matches.

Yet finger shows a login from Apr 24, which jives with
their last .bash_history update

One way this could happen is by use of sftp/scp. Is there
a way to get last to record these sessions as well?


To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CA+AKB6F4YC...O4-SpAzHaQ@mail.gmail.com
email Follow the discussionReplies 3 repliesReplies Make a reply

Replies

#1 Camale
June 06th, 2012 - 12:20 pm ET | Report spam
On Wed, 06 Jun 2012 11:36:09 -0300, francis picabia wrote:

Today I see from logwatch report 28 sshd logins from one user at an IP
address in a different continent than usually seen here.

When I look up this user with last command to see if this is part of a
travel pattern or perhaps their account is compromised, I don't get any
matches. I've used last and last -f /var/log/wtmp.1 with the user name
and there are no matches.



OpenSSH logins fall under "/var/log/auth*" logs.

Yet finger shows a login from Apr 24, which jives with their last
.bash_history update

One way this could happen is by use of sftp/scp. Is there a way to get
last to record these sessions as well?



Mmm... any specific reason for wanting these logs available within
wtmp? :-?

Greetings,

Camaleón


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/jqnvkc$u68$

Similar topics

Make your own search :