last, w, finger – Tracking Logged-in Users

Prerequisites

Requirement	Details
Access Level:	Any user can run these commands, but logs (/var/log/wtmp, /var/run/utmp) require system presence.
Software:	OpenSSH server, finger package (install via sudo apt install finger).
Knowledge:	Basic Linux sessions, UID/GID, and SSH logins.

Why and When

• Why it matters: Track usage, detect suspicious logins, and audit activity.
• Why this approach: Tools to see login history (last), active sessions (w), and user info (finger).
• When to use it: During security checks, debugging, or compliance audits.

Syntax Overview

Command	Basic Syntax	Purpose
last	last [options] [username]	Show login/logout history.
w	w [options]	Show current users and their processes.
finger	finger [username]	Show user details.

Options & Flags Explained

last Flags

Flag	Meaning	Example
(none)	Show all history	last
-n <num>	Show last N entries	last -n 5
-f <file>	Use custom wtmp log	last -f /var/log/wtmp.1
-a	Show hostname at last column	last -a

w Flags

Flag	Meaning	Example
(none)	Show all users + processes	w
-h	No header	w -h
-s	Short format	w -s
-f	Toggle hostname display	w -f

finger Flags

Flag	Meaning	Example
(none)	Show all users logged in	finger
username	Show specific user	finger dev1
-s	Short format	finger -s
-l	Long format	finger -l dev1

Real Command Usage (20 Examples with Expected Output)

Show recent login history

last

Output:

dev1  pts/0  192.168.1.10  Sat Sep 27 10:30   still logged in
root  pts/1  192.168.1.5   Sat Sep 27 09:00 - 10:00  (01:00)
reboot system boot 5.15.0-78 Sat Sep 27 08:55   still running

Explanation: Shows who logged in, from where, when, and logout.

Use Case: Audit access.

Benefit: Detect anomalies.

Show last 5 logins

last -n 5

Output:

dev1  pts/0  192.168.1.10  Sat Sep 27 10:30   still logged in
root  pts/1  192.168.1.5   Sat Sep 27 09:00 - 10:00  (01:00)

Explanation: Limits entries.

Use Case: Quick check.

Benefit: Save time.

Show logins of a specific user

last dev1

Output:

dev1  pts/0  192.168.1.10  Sat Sep 27 10:30   still logged in
dev1  pts/2  192.168.1.11  Fri Sep 26 15:00 - 16:00  (01:00)

Explanation: Filter by username.

Use Case: Check one dev’s activity.

Benefit: Accountability.

Show login history with hostname last

last -a | head -3

Output:

dev1  pts/0   Sat Sep 27 10:30   still logged in  192.168.1.10
root  pts/1   Sat Sep 27 09:00 - 10:00 (01:00)    192.168.1.5

Explanation: Moves hostname to last column.

Use Case: Easier parsing.

Benefit: Better readability.

Show current logged-in users (overview)

w

Output:

 10:40:05 up  2:00,  2 users,  load average: 0.00, 0.02, 0.00
USER     TTY   FROM           LOGIN@   IDLE   JCPU   PCPU WHAT
dev1     pts/0 192.168.1.10   10:30    0.00s  0.05s  0.01s -bash
root     pts/1 192.168.1.5    09:00    1:20   0.10s  0.02s htop

Explanation: Shows who’s logged in and their processes.

Use Case: Monitor live sessions.

Benefit: Real-time awareness.

Short format output

w -s

Output:

USER     TTY   FROM           IDLE WHAT
dev1     pts/0 192.168.1.10   0.00s -bash

Explanation: Strips details.

Use Case: Simple monitoring.

Benefit: Quick glance.

Hide header in w

w -h

Output:

dev1     pts/0 192.168.1.10  0.00s  bash
root     pts/1 192.168.1.5   1:20   htop

Explanation: Hides header row.

Use Case: Grep/parse output.

Benefit: Cleaner script integration.

Show/hide hostname field

w -f

Output:

dev1  pts/0   LOGIN@  IDLE   WHAT

Explanation: Toggle hostname visibility.

Use Case: Local-only audits.

Benefit: Simpler output.

Use finger to see all users

finger

Output:

Login  Name     TTY  Idle  Login Time   Office
dev1   WP Dev   pts/0  0   Sep 27 10:30 (192.168.1.10)
root   root     pts/1  1:20 Sep 27 09:00 (192.168.1.5)

Explanation: Lists all active users.

Use Case: User-friendly audit.

Benefit: Includes GECOS info.

Finger one user

finger dev1

Output:

Login: dev1                           Name: WP Developer
Directory: /home/dev1                 Shell: /bin/bash
On since Sat Sep 27 10:30 (UTC) on pts/0 from 192.168.1.10
No mail.  No Plan.

Explanation: Shows user detail.

Use Case: Audit developer account.

Benefit: Detailed info.

Short finger output

finger -s

Output:

Login  Name    TTY   Idle  Login Time
dev1   WP Dev  pts/0 0     Sep 27 10:30

Explanation: Strips extra info.

Use Case: Clean audit.

Benefit: Readable.

Long format with plan field

finger -l dev1

Output:

Login: dev1   Name: WP Developer
Directory: /home/dev1   Shell: /bin/bash
Project:
No Plan.

Explanation: Shows “Plan/Project” info (rarely used).

Use Case: Developer info documentation.

Benefit: Adds context.

Show last reboot events

last reboot | head -3

Output:

reboot system boot 5.15.0-78 Sat Sep 27 09:00 still running
reboot system boot 5.15.0-78 Fri Sep 26 08:30 - 09:00 (00:30)

Explanation: Shows server boot history.

Use Case: Check uptime.

Benefit: Detect crashes/reboots.

Show failed logins (if btmp available)

sudo lastb | head

Output:

root   ssh:notty 192.168.1.50  Fri Sep 26 10:10 - 10:10 (00:00)

Explanation: Shows failed login attempts.

Use Case: Security monitoring.

Benefit: Detect brute-force attempts.

Filter logins from IP

last | grep 192.168.1.10

Output:

dev1  pts/0  192.168.1.10  Sat Sep 27 10:30 still logged in

Explanation: Filter by host/IP.

Use Case: Track one client.

Benefit: Trace suspicious IP.

Show current uptime (with w)

w | head -1

Output:

 10:40:05 up 2:00, 2 users, load average: 0.00, 0.02, 0.00

Explanation: System uptime + load.

Use Case: Check stability.

Benefit: Quick status check.

Find idle users

w | awk '$5 ~ /[0-9]+:[0-9]+/'

Output:

root pts/1 192.168.1.5 1:20 htop

Explanation: Detect idle sessions.

Use Case: Identify unused sessions.

Benefit: Kill stale logins.

Combine finger + grep for one user

finger | grep dev1

Output:

dev1   WP Dev  pts/0  0  Sep 27 10:30 (192.168.1.10)

Explanation: Quick filter.

Use Case: Spot-check.

Benefit: Fast audit.

Show number of distinct users logged in today

last | grep "Sep 27" | awk '{print $1}' | sort | uniq

Output:

dev1
root

Explanation: Extract usernames from today’s logins.

Use Case: Daily access audit.

Benefit: Track activity per day.

Check if www-data ever logged in (should not)

last www-data

Output:

# (no output expected)

Explanation: Service users shouldn’t log in.

Use Case: Detect compromise.

Benefit: WordPress hardening.

WordPress-Specific Use Cases

Scenario	Command	Benefit
Monitor contractors	last dev1	Track dev login history
Detect brute-force SSH	lastb	Identify failed attempts
Confirm www-data never logged in	last www-data	Security validation
Check active sessions	w	Real-time monitoring
Document team members	finger	Show dev info in audits

Best Practices

1. Install finger only if needed — keep minimal surface.
2. Use lastb regularly to check failed logins.
3. Alert on unexpected service user logins (e.g., www-data).
4. Use w to detect idle sessions and terminate them.
5. Regularly rotate and archive /var/log/wtmp & /var/log/btmp.

Quick Lab

# See current users
w

# Show last 5 logins
last -n 5

# Show failed logins
sudo lastb | head

# Finger details of dev1
finger dev1

Expected Highlights:

dev1 pts/0 192.168.1.10 still logged in
root pts/1 192.168.1.5 idle
Login: dev1 Name: WP Developer

Cheat Sheet

Command	Purpose
last	Show login/logout history
last -n 5	Show last 5 logins
lastb	Show failed login attempts
w	Show current logged-in users
w -s	Short format
finger	Show user details
finger dev1	Info on specific user

Mini Quiz

1. What log file does last read?
2. Which command shows failed login attempts?
3. How can you list active sessions and what processes they run?
4. Why should www-data never appear in last?
5. What’s the difference between finger and w?