4 Ways to Identify Who is Logged-In on Your Linux System

As a system administrator, you may want to know who is on the system at any give point in time. You may also want to know what they are doing. In this article let us review 4 different methods to identify who is on your Linux system.

1. Get the running processes of logged-in user using w

w command is used to show logged-in user names and what they are doing. The information will be read from /var/run/utmp file. The output of the w command contains the following columns:

  • Name of the user
  • User’s machine number or tty number
  • Remote machine address
  • User’s Login time
  • Idle time (not usable time)
  • Time used by all processes attached to the tty (JCPU time)
  • Time used by the current process (PCPU time)
  • Command currently getting executed by the users

 
Following options can be used for the w command:

  • -h Ignore the header information
  • -u Display the load average (uptime output)
  • -s Remove the JCPU, PCPU, and login time.
# w
 23:04:27 up 29 days,  7:51,  3 users,  load average: 0.04, 0.06, 0.02
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
sftpd-user   pts/0    dev-db-server        22:57    8.00s  0.05s  0.01s sshd: ramesh [priv]
www    pts/1    dev-db-server        23:01    2:53   0.01s  0.01s -bash
root     pts/2    dev-db-server        23:04    0.00s  0.00s  0.00s w

# w -h
sftpd-user   pts/0    dev-db-server        22:57   17:43   2.52s  0.01s sshd: ramesh [priv]
www    pts/1    dev-db-server        23:01   20:28   0.01s  0.01s -bash
root     pts/2    dev-db-server        23:04    0.00s  0.03s  0.00s w -h

# w -u
 23:22:06 up 29 days,  8:08,  3 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
sftpd-user   pts/0    dev-db-server        22:57   17:47   2.52s  2.49s top
www    pts/1    dev-db-server        23:01   20:32   0.01s  0.01s -bash
root     pts/2    dev-db-server        23:04    0.00s  0.03s  0.00s w -u

# w -s
 23:22:10 up 29 days,  8:08,  3 users,  load average: 0.00, 0.00, 0.00
USER         TTY      FROM               IDLE WHAT
sftpd-user   pts/0    dev-db-server        17:51  sshd: sftpd-user [priv]
www          pts/1    dev-db-server        20:36  -bash
root         pts/2    dev-db-server         1.00s w -s

2. Get the user name and process of logged in user using who and users command

who command is used to get the list of the usernames who are currently logged in. Output of the who command contains the following columns: user name, tty number, date and time, machine address.

# who
sftpd-user   pts/0        2009-03-28 22:57 (dev-db-server)
www          pts/1        2009-03-28 23:01 (dev-db-server)
root         pts/2        2009-03-28 23:04 (dev-db-server)

To get a list of all usernames that are currently logged in, use the following:

# who | cut -d' ' -f1 | sort | uniq
root
www
sftpd-user

Users Command

users command is used to print the user name who are all currently logged in the current host. It is one of the command don’t have any option other than help and version. If the user using, ‘n’ number of terminals, the user name will shown in ‘n’ number of time in the output.

# users
root www sftpd-user

3. Get the username you are currently logged in using whoami

whoami command is used to print the loggedin user name.

# whoami
root

whoami command gives the same output as id -un as shown below:

# id -un
root

who am i command will display the logged-in user name and current tty details. The output of this command contains the following columns: logged-in user name, tty name, current time with date and ip-address from where this users initiated the connection.

# who am i
root     pts/2        2009-03-28 23:04 (dev-db-server)

# who mom likes
root     pts/2        2009-03-28 23:04 (dev-db-server)

Warning: Don't try "who mom hates" command.

Also, if you do su to some other user, this command will give the information about the logged in user name details.

4. Get the user login history at any time

last command will give login history for a specific username. If we don’t give any argument for this command, it will list login history for all users. By default this information will read from /var/log/wtmp file. The output of this command contains the following columns:

  • User name
  • Tty device number
  • Login date and time
  • Logout time
  • Total working time
# last root
root   pts/0        dev-db-server   Fri Mar 27 22:57   still logged in
root   pts/0        dev-db-server   Fri Mar 27 22:09 - 22:54  (00:45)
root   pts/0        dev-db-server   Wed Mar 25 19:58 - 22:26  (02:28)
root   pts/1        dev-db-server   Mon Mar 16 20:10 - 21:44  (01:33)
root   pts/0        192.168.201.11  Fri Mar 13 08:35 - 16:46  (08:11)
root   pts/1        192.168.201.12  Thu Mar 12 09:03 - 09:19  (00:15)
root   pts/0        dev-db-server   Wed Mar 11 20:11 - 20:50  (00:39)

Security Hardening Linux using sysctl.conf

 

sysctl is an interface that allows you to make changes to a running Linux kernel. With /etc/sysctl.conf you can configure various Linux networking and system settings such as:

  1. Limit network-transmitted configuration for IPv4
  2. Limit network-transmitted configuration for IPv6
  3. Turn on execshield protection
  4. Prevent against the common ‘syn flood attack’
  5. Turn on source IP address verification
  6. Prevents a cracker from using a spoofing attack against the IP address of the server.
  7. Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.

sysctl command

The sysctl command is used to modify kernel parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysct at boot time. To view current values, enter:

# sysctl -a
# sysctl -A
# sysctl net.ipv4.conf.all.rp_filter

Sample /etc/sysctl.conf

Edit /etc/sysctl.conf and update it as follows. The file is documented with comments.

# The following is suitable for dedicated web server, mail, ftp server etc. 
# ---------------------------------------
# BOOLEAN Values:
# a) 0 (zero) - disabled / no / false
# b) Non zero - enabled / yes / true
# --------------------------------------
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
 
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
 
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
 
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
 
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
 
# Controls the use of TCP syncookies
# net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
 
########## IPv4 networking start ##############
# Send redirects, if router, but this is just server
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
 
# Accept packets with SRR option? No
net.ipv4.conf.all.accept_source_route = 0
 
# Accept Redirects? No, this is not router
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
 
# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
 
# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1
 
# Prevent against the common 'syn flood attack'
net.ipv4.tcp_syncookies = 1
 
# Enable source validation by reversed path, as specified in RFC1812
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
 
########## IPv6 networking start ##############
# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
net.ipv6.conf.default.router_solicitations = 0
 
# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0
 
# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0
 
# Setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0
 
# Router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0
 
# How many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0
 
# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1
 
########## IPv6 networking ends ##############
 
# Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 1
 
# TCP and memory optimization 
# increase TCP max buffer size set using setsockopt()
#net.ipv4.tcp_rmem = 4096 87380 8388608
#net.ipv4.tcp_wmem = 4096 87380 8388608
 
# Increase Linux auto tuning TCP buffer limits
#net.core.rmem_max = 8388608
#net.core.wmem_max = 8388608
#net.core.netdev_max_backlog = 5000
#net.ipv4.tcp_window_scaling = 1
 
# Increase system file descriptor limit    
fs.file-max = 65535
 
# Allow for more PIDs 
kernel.pid_max = 65536
 
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000

To use this settings paste the above sysctl variables in /etc/sysctl.conf and ask sysctl command to read and apply the newly added conf settings:

# sysctl -p

Hopefully you should not get errors while applying the sysctl settings, if you get some errors, it’s possible some of the variable is differently named (depending on the Linux kernel version) or the Linux distribution on which sysctl are implemented.