Exploring the Lesser-Known Command: lastb

2 minute read

In the realm of Unix-like operating systems, particularly Linux, there exists a wealth of commands that cater to various administrative needs, ranging from managing processes to tracking user activity. Among these commands, two often overlooked yet powerful tools are last and lastb. While both serve the purpose of displaying login records, they differ significantly in their scope and application.

Understanding last:

last is a command-line utility that displays a list of last logged in users. It extracts information from the /var/log/wtmp file, which stores all the login and logout records of users. The typical output of the last command includes the username, terminal, IP address, login time, and logout time (if available). It is an invaluable tool for system administrators to track user activities, audit logins, and diagnose security breaches.

Usage example:

$ last

Introducing lastb:

On the other hand, lastb is a command that is less familiar to many users compared to last. The ‘b’ in lastb stands for “bad”, indicating its primary use case: tracking failed login attempts. While last reads from /var/log/wtmp, lastb reads from /var/log/btmp, which specifically logs failed login attempts.

Usage example:

$ lastb

Differentiating Features:

  1. Data Focus:
    • last focuses on successful logins and provides a comprehensive record of user activity.
    • lastb, however, zeroes in on failed login attempts, making it particularly useful for security analysis and intrusion detection.
  2. Security Implications:
    • Monitoring lastb can help administrators identify potential security threats by pinpointing repeated failed login attempts, which may signify brute-force attacks or unauthorized access attempts.
    • last, while still crucial for auditing user behavior, may not highlight failed login attempts with the same immediacy as lastb.
  3. File Sources:
    • last retrieves data from the /var/log/wtmp file.
    • lastb retrieves data from the /var/log/btmp file.

Best Practices:

  • Regularly check both last and lastb logs to maintain a holistic view of user activity on your system.
  • Implement automated monitoring systems that parse these logs for anomalies and trigger alerts for suspicious activities.
  • Consider integrating these commands into your security protocols to fortify your system against unauthorized access attempts.


While last may enjoy more recognition among system administrators for its role in tracking user logins, lastb is equally essential, if not more so, for its ability to highlight failed login attempts and potential security threats. By leveraging both commands in tandem, administrators can gain comprehensive insights into user activities and fortify their systems against security breaches. In the realm of cybersecurity, knowledge and utilization of tools like lastb can make all the difference between a secure system and a compromised one.