Quick take: last shows login history from /var/log/wtmp. lastb shows failed login attempts. who shows current users. w shows current users plus what they are running and system load.

Introduction

Three commands cover login and session visibility on Linux: last for history, who for current sessions, and w for current sessions with activity detail. Together they provide a complete audit picture — who has been on the server, who is there now, and what they are doing.

These are the first commands to run during a security incident or routine server audit, because they surface unauthorized access that application logs may not record.

last — Login History

last reads /var/log/wtmp and displays all logins, logouts, and reboots in reverse order.

# Show all login history
last

# Show history for a specific user
last irfan

# Show last 20 entries
last -n 20

# Show full IP addresses (no hostname resolution)
last -i

# Show with full date and time
last -F

# Show system reboots
last reboot

# Show shutdown history
last -x | grep shutdown

Sample output:

irfan    pts/0        192.168.1.10     Tue Apr 22 14:01   still logged in
irfan    pts/0        192.168.1.10     Mon Apr 21 09:15 - 17:30  (08:15)
reboot   system boot  6.8.0-51-generic Mon Apr 21 09:00
root     pts/1        10.0.0.5         Sun Apr 20 22:11 - 22:45  (00:34)

lastb — Failed Logins

lastb reads /var/log/btmp (bad logins) and shows authentication failures — essential for spotting brute force attacks.

# Show failed login attempts (requires root)
sudo lastb

# Show last 30 failed attempts with IPs
sudo lastb -i -n 30

# Count failed attempts by IP
sudo lastb | awk '{print $3}' | sort | uniq -c | sort -rn | head -20

A flood of failures from a single IP is a brute force attempt. Cross-reference with your UFW or Fail2Ban rules to confirm the IP is already blocked.

lastlog — Last Login per User

lastlog shows the most recent login for every account on the system — useful for spotting dormant accounts that should be disabled.

# Show all users' last login
lastlog

# Show for a specific user
lastlog -u irfan

# Show users who have never logged in
lastlog | grep "Never logged in"

who — Current Sessions

who reads /var/run/utmp and lists currently logged-in users.

# Show current logged-in users
who

# Show detailed info including PID
who -u

# Show only your own session
who am i

# Show system boot time
who -b

# Show dead processes and terminal lines
who -d

Sample output:

irfan    pts/0        2026-04-22 14:01 (192.168.1.10)
root     pts/1        2026-04-22 10:30 (10.0.0.5)

w — Sessions with Activity

w is the most information-dense of these commands — it shows who is logged in, from where, how long they have been idle, and what command they are currently running.

# Show all active sessions with current command
w

# Show for a specific user
w irfan

# Show without hostname resolution (faster)
w -i

Sample output:

 14:05:22 up 5:05,  2 users,  load average: 0.12, 0.08, 0.05
USER     TTY      FROM             LOGIN@   IDLE JCPU   PCPU WHAT
irfan    pts/0    192.168.1.10     14:01    0.00s  0.02s  0.00s w
root     pts/1    10.0.0.5         10:30    3:35m  0.01s  0.01s vim /etc/nginx/nginx.conf

The IDLE column shows how long since the user typed anything. The WHAT column shows the current process — useful for seeing if someone is actively working or just connected but idle.

Security Audit Workflow

When auditing a server after a suspected breach, run these in sequence:

# 1. Who is on right now?
w

# 2. Has root logged in recently?
last root | head -20

# 3. Any failed root logins?
sudo lastb root | head -20

# 4. Any logins from unexpected IPs?
last -i | grep -v '192.168\|127.0\|still'

# 5. Any accounts that never log in but show a recent session?
lastlog | grep -v "Never logged in" | grep -v "^Username"

# 6. How many failed attempts and from where?
sudo lastb | awk '{print $3}' | sort | uniq -c | sort -rn | head -10

Final Thoughts

These three commands — last, who, and w — cost nothing to run and reveal a great deal about who has been accessing your server. Make them part of your standard server audit checklist. For persistent monitoring, pair them with Fail2Ban for automatic IP blocking and centralized logging to preserve wtmp records beyond their local rotation window.

FAQ: last, who, and w Commands in Linux

How do I view login history on Linux?+

Run last to see a list of all logins in reverse chronological order, showing username, terminal, IP address, and login/logout times. last reads from /var/log/wtmp.

How do I see failed login attempts on Linux?+

Run sudo lastb to view failed login attempts (bad logins). This reads from /var/log/btmp. It shows the username attempted, source IP, and timestamp — essential for detecting brute force attacks.

What is the difference between who and w?+

who shows who is currently logged in with their terminal and login time. w shows the same information but also includes what each user is currently running and system load averages — it is the more informative command.

How do I see when a user last logged in?+

Use lastlog to see the last login time for every account on the system, or last username to filter to a specific user. For the current user, run last $USER.

How do I see login history for a specific user?+

Run last username, e.g. last irfan. This shows all sessions for that user from the wtmp log. Add -i to show IP addresses instead of hostnames.

Need help with Linux servers or infrastructure?

Work directly with Muhammad Irfan Aslam for Linux, Ubuntu, Docker, DevOps, cloud, CI/CD, or infrastructure support.

Hire Me for Support