Logon Attempts

Successful Logons

The wtmp file is a binary file that contains a history of all logins and logouts *nix system. It is located in the /var/log directory ¹².

The wtmp file is updated by the login program whenever a user logs in or out of the system.

The wtmp file contains records that are stored in a sequential manner, with each record having a fixed size of 384 bytes. The structure of these records is defined in the utmp.h header file in the format of the struct utmp structure.

Here's a general idea of how the struct utmp structure looks like ³:

ut_type: The type of login event. It could indicate a user process, system boot, run-level, init process, login process, or a dead process, among others.
ut_pid: The process ID associated with the session. This could be the ID of the login process.
ut_line: The device name, including the tty or pseudo-tty associated with the user login, typically recorded in the /dev/ directory.
ut_id: The terminal identifier, often a representation of the TTY associated with the login.
ut_user: The username associated with the login event.
ut_host: If a user is logging in from a remote host, this field records the hostname of that remote machine. If the system is changing run levels, this field records the new kernel version.
ut_exit: This structure records the exit status of processes.
ut_session: This represents the session ID and can be used to correlate records that belong to the same session.
ut_tv: This structure records the time the entry was made in seconds (tv_sec) and microseconds (tv_usec).
ut_addr_v6: This is an array representing the IP address of the remote host. For IPv4 addresses, only ut_addr_v6[0] is used.
__glibc_reserved: This field is reserved for future use.

`utmpdump` utility

The utmpdump utility is a command-line tool that can be used to dump the contents of wtmp in a human-readable format.

sudo utmpdump wtmp

[tlasso@rhel-richmondfc log]$ sudo utmpdump wtmp 
Utmp dump of wtmp
[2] [00000] [~~  ] [reboot  ] [~           ] [5.14.0-284.11.1.el9_2.x86_64] [0.0.0.0        ] [2023-06-14T06:33:26,391250+00:00]
[1] [00053] [~~  ] [runlevel] [~           ] [5.14.0-284.11.1.el9_2.x86_64] [0.0.0.0        ] [2023-06-14T06:33:40,819556+00:00]
[7] [05403] [    ] [tlasso  ] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-06-14T06:35:06,827950+00:00]
[7] [05403] [    ] [tlasso  ] [tty2        ] [tty2                ] [0.0.0.0        ] [2023-06-14T06:35:06,842674+00:00]
...
[7] [02252] [    ] [tlasso  ] [tty2        ] [tty2                ] [0.0.0.0        ] [2023-06-14T07:08:32,732126+00:00]
[8] [02252] [    ] [        ] [tty2        ] [tty2                ] [0.0.0.0        ] [2023-06-14T07:10:32,561013+00:00]
[7] [03822] [    ] [corp\tlasso] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-06-14T07:11:59,828610+00:00]
[7] [03822] [    ] [corp\tlasso] [tty2        ] [tty2                ] [0.0.0.0        ] [2023-06-14T07:11:59,844923+00:00]
[8] [03822] [    ] [        ] [tty2        ] [tty2                ] [0.0.0.0        ] [2023-06-14T07:14:12,532661+00:00]
[7] [05218] [    ] [tlasso  ] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-06-14T07:16:25,340760+00:00]
[7] [05218] [    ] [tlasso  ] [tty2        ] [tty2                ] [0.0.0.0        ] [2023-06-14T07:16:25,355669+00:00]
[7] [07149] [    ] [corp\tlasso] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-06-14T07:20:19,453351+00:00]
[7] [07149] [    ] [corp\tlasso] [tty3        ] [tty3                ] [0.0.0.0        ] [2023-06-14T07:20:19,468732+00:00]
[8] [07149] [    ] [        ] [tty3        ] [tty3                ] [0.0.0.0        ] [2023-06-14T07:20:49,888562+00:00]
[7] [08634] [    ] [corp\nate] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-06-14T07:21:01,919825+00:00]
[7] [08634] [    ] [corp\nate] [tty3        ] [tty3                ] [0.0.0.0        ] [2023-06-14T07:21:01,934843+00:00]
[8] [05218] [    ] [        ] [tty2        ] [tty2                ] [0.0.0.0        ] [2023-06-14T07:23:00,060946+00:00]
[1] [00000] [~~  ] [shutdown] [~           ] [5.14.0-284.11.1.el9_2.x86_64] [0.0.0.0        ] [2023-06-14T07:23:11,496730+00:00]
[2] [00000] [~~  ] [reboot  ] [~           ] [5.14.0-284.11.1.el9_2.x86_64] [0.0.0.0        ] [2023-06-14T07:23:19,033360+00:00]
[1] [00053] [~~  ] [runlevel] [~           ] [5.14.0-284.11.1.el9_2.x86_64] [0.0.0.0        ] [2023-06-14T07:23:32,171343+00:00]
...
[7] [02262] [    ] [corp\cbeard] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-07-02T14:52:43,715647+00:00]
[7] [02262] [    ] [corp\cbeard] [tty2        ] [tty2                ] [0.0.0.0        ] [2023-07-02T14:52:43,730818+00:00]
[7] [05197] [    ] [tlasso  ] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-07-02T15:39:28,794506+00:00]
[7] [05197] [    ] [tlasso  ] [tty3        ] [tty3                ] [0.0.0.0        ] [2023-07-02T15:39:28,810540+00:00]
[7] [07492] [    ] [cbeard@corp.tuxtriage.net] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-07-02T15:59:58,261848+00:00]
[7] [07492] [    ] [cbeard@corp.tuxtriage.net] [tty4        ] [tty4                ] [0.0.0.0        ] [2023-07-02T15:59:58,270203+00:00]
[1] [00000] [~~  ] [shutdown] [~           ] [5.14.0-284.11.1.el9_2.x86_64] [0.0.0.0        ] [2023-07-02T16:01:53,787611+00:00]
[2] [00000] [~~  ] [reboot  ] [~           ] [5.14.0-284.11.1.el9_2.x86_64] [0.0.0.0        ] [2023-07-02T16:02:11,368171+00:00]
[1] [00053] [~~  ] [runlevel] [~           ] [5.14.0-284.11.1.el9_2.x86_64] [0.0.0.0        ] [2023-07-02T16:02:14,822723+00:00]
[7] [02261] [    ] [corp\cbeard] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-07-02T16:02:37,388535+00:00]
[7] [02261] [    ] [corp\cbeard] [tty2        ] [tty2                ] [0.0.0.0        ] [2023-07-02T16:02:37,404458+00:00]
[8] [02261] [    ] [        ] [tty2        ] [tty2                ] [0.0.0.0        ] [2023-07-02T16:04:27,464002+00:00]
[7] [04014] [    ] [tlasso  ] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-07-02T16:04:40,193039+00:00]
[7] [04014] [    ] [tlasso  ] [tty2        ] [tty2                ] [0.0.0.0        ] [2023-07-02T16:04:40,208590+00:00]
[7] [06612] [ts/1] [nate@corp.tuxtriage.net] [pts/1       ] [172.26.0.1          ] [172.26.0.1     ] [2023-07-02T18:36:35,071518+00:00]
...
[7] [37619] [    ] [corp\cbeard] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-07-05T17:51:14,138272+00:00]
[7] [37619] [    ] [corp\cbeard] [tty2        ] [tty2                ] [0.0.0.0        ] [2023-07-05T17:51:14,152081+00:00]
[7] [39323] [    ] [tlasso  ] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-07-05T17:52:15,720396+00:00]
[7] [39323] [    ] [tlasso  ] [tty3        ] [tty3                ] [0.0.0.0        ] [2023-07-05T17:52:15,736486+00:00]
[7] [40243] [ts/1] [nate@corp.tuxtriage.net] [pts/1       ] [172.23.48.1         ] [172.23.48.1    ] [2023-07-05T17:54:25,140715+00:00]

`last` command utility

The last command is a utility can also be used to view this information. The list is produced in reverse chronological order (most recent events first), hence the name "last".

sudo last -f btmp

[tlasso@rhel-richmondfc log]$ last -f wtmp 
nate@cor pts/1        172.23.48.1      Wed Jul  5 13:54   still logged in
tlasso   tty3         tty3             Wed Jul  5 13:52   still logged in
tlasso   seat0        login screen     Wed Jul  5 13:52   still logged in
corp\cbe tty2         tty2             Wed Jul  5 13:51   still logged in
corp\cbe seat0        login screen     Wed Jul  5 13:51 - 13:52  (00:01)
tlasso   tty2         tty2             Wed Jul  5 13:29 - 13:50  (00:21)
tlasso   seat0        login screen     Wed Jul  5 13:29 - 13:51  (00:22)
reboot   system boot  5.14.0-284.18.1. Wed Jul  5 13:27   still running
reboot   system boot  5.14.0-284.11.1. Wed Jul  5 13:20 - 13:22  (00:01)
tlasso   tty2         tty2             Mon Jul  3 19:09 - down  (1+18:11)
tlasso   seat0        login screen     Mon Jul  3 19:09 - down  (1+18:11)
reboot   system boot  5.14.0-284.11.1. Sun Jul  2 23:44 - 13:20 (2+13:36)
nate@cor pts/1        172.26.0.1       Sun Jul  2 14:36 - crash  (09:07)
tlasso   tty2         tty2             Sun Jul  2 12:04 - crash  (11:39)
tlasso   seat0        login screen     Sun Jul  2 12:04 - crash  (11:39)

Failed Logon Attempts

The btmp file is a system log file in Linux that keeps a record of failed login attempts. It is located in the /var/log/ directory.

Each time a user or process tries to log in to the system and fails, an entry is added to the btmp file. This file can be quite useful from a security perspective because a large number of failed login attempts could be an indication of a brute force attack or some other malicious activity.

The btmp file also uses a binary format to store login records. Each record is stored as a struct utmp. The utmpdump and last commands can be used to view the data.

sudo last -f btmp

[tlasso@rhel-richmondfc log]$ sudo last -f btmp
CORPcbe seat0        login screen     Sun Jul  2 09:04    gone - no logout
cbeard@t seat0        login screen     Sun Jul  2 09:04 - 09:04  (00:00)
corpcbe seat0        login screen     Sun Jul  2 09:03 - 09:04  (00:00)
cbeard   seat0        login screen     Sun Jul  2 09:03 - 09:03  (00:00)
cbeard   seat0        login screen     Sun Jul  2 09:02 - 09:03  (00:00)
cbeard   seat0        login screen     Sun Jul  2 09:02 - 09:02  (00:00)
cbeard   seat0        login screen     Sun Jul  2 09:02 - 09:02  (00:00)

btmp begins Sun Jul  2 09:02:27 2023

[tlasso@rhel-richmondfc log]$ sudo last -f btmp-20230702 
tuxtriag seat0        login screen     Wed Jun 14 03:11    gone - no logout
tuxtriag seat0        login screen     Wed Jun 14 03:10 - 03:11  (00:00)
tlasso   seat0        login screen     Wed Jun 14 02:34 - 03:10  (00:35)

btmp-20230702 begins Wed Jun 14 02:34:55 2023

[tlasso@rhel-richmondfc log]$ sudo utmpdump btmp
Utmp dump of btmp
[7] [04306] [    ] [cbeard  ] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-07-02T13:02:27,697928+00:00]
[7] [04331] [    ] [cbeard  ] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-07-02T13:02:36,386695+00:00]
[7] [04337] [    ] [cbeard  ] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-07-02T13:02:44,039468+00:00]
[7] [04350] [    ] [cbeard  ] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-07-02T13:03:09,359408+00:00]
[7] [04370] [    ] [corp\cbeard] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-07-02T13:03:59,445274+00:00]
[7] [04380] [    ] [cbeard@tuxtriage.net] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-07-02T13:04:30,283273+00:00]
[7] [04389] [    ] [CORP\cbeard] [seat0       ] [login screen        ] [0.0.0.0        ] [2023-07-02T13:04:57,104620+00:00]
[6] [36824] [    ] [jayaram ] [ssh:notty   ] [172.23.48.1         ] [172.23.48.1    ] [2023-07-05T17:46:34,000000+00:00]
[6] [36824] [    ] [jayaram ] [ssh:notty   ] [172.23.48.1         ] [172.23.48.1    ] [2023-07-05T17:46:50,000000+00:00]
[6] [37042] [    ] [corpnate] [ssh:notty   ] [172.23.48.1         ] [172.23.48.1    ] [2023-07-05T17:50:17,000000+00:00]
[6] [37042] [    ] [corpnate] [ssh:notty   ] [172.23.48.1         ] [172.23.48.1    ] [2023-07-05T17:50:23,000000+00:00]
[6] [37044] [    ] [corp    ] [ssh:notty   ] [172.23.48.1         ] [172.23.48.1    ] [2023-07-05T17:50:32,000000+00:00]
[6] [37044] [    ] [corp    ] [ssh:notty   ] [172.23.48.1         ] [172.23.48.1    ] [2023-07-05T17:50:38,000000+00:00]

⁴

https://man7.org/linux/man-pages/man5/utmp.5.html

⁵

https://man7.org/linux/man-pages/man1/utmpdump.1.html

https://www.linuxnix.com/read-view-utmp-wtmp-btmp-file-linuxunix/

https://www.cs.clemson.edu/course/cpsc424/material/Logging/utmp.pdf

⁶

https://github.com/util-linux/util-linux/blob/master/login-utils/utmpdump.c

https://elixir.bootlin.com/glibc/glibc-2.34/source/bits/utmp.h#L58