≡ Menu

Linux Remove or Clear the Last Login Information

I am a Fedora Linux user (SysAdmin) and I would like to clear all the login information. How do I clear or remove last login information on Linux operating systems?

The /var/log/lastlog file stores user last login information. This is binary file and act as database times of previous user logins. You need to use lastlog command to formats and prints the contents of the last login log /var/log/lastlog file.

lastlog command

The lastlog command shows the most recent login of all users or of a given user. The Following information is printed using lastlog command:

=> The login-name

=> Port

=> Last login time

Task: Display last login information

Simply type the lastlog command :
$ lastlog
Sample outputs:

Username         Port     From             Latest
root             tty1                      Thu Jan 25 15:23:50 +0530 2007
daemon                                     **Never logged in**
bin                                        **Never logged in**
sys                                        **Never logged in**
sync                                       **Never logged in**
vivek            tty1                      Sat Jan 27 22:10:36 +0530 2007
pdnsd                                      **Never logged in**
sshd                                       **Never logged in**
messagebus                                 **Never logged in**
bind                                       **Never logged in**
sweta           tty1                      Sat Jan 27 19:55:22 +0530 2007

Note: If the user has never logged in the message “**Never logged in**” will be displayed instead of the port and time.

Task: Clear last login information by deleting /var/log/lastlog

Simply overwrite /var/log/lastlog file. You must be the root user. First make a backup of /var/log/lastlog:
# cp /var/log/lastlog /root
Now overwrite file using any one of the following command:
# >/var/log/lastlog
OR
# cat > /var/log/lastlog

Press CTR+D to save the changes.

last and lastb commands

Use last or lastb command to display listing of last logged in users:
$ last
OR
$ lastb
Sample outputs:

root     pts/1        10.1.6.120       Tue Jan  7 16:43   still logged in
root     pts/0        10.1.6.120       Tue Jan  7 15:52   still logged in
root     pts/0        10.1.6.120       Tue Jan  7 11:20 - 15:07  (03:47)
root     pts/1        10.1.6.120       Tue Jan  7 07:07 - 09:50  (02:43)
root     pts/0        10.1.6.120       Tue Jan  7 05:00 - 07:22  (02:21)
root     pts/0        10.1.6.120       Mon Jan  6 14:16 - 16:36  (02:20)
root     pts/0        10.1.6.120       Sun Jan  5 16:37 - 17:01  (00:23)
root     pts/0        10.1.6.120       Sun Jan  5 15:12 - 15:39  (00:26)
root     pts/0        10.1.6.120       Sun Jan  5 14:45 - 15:05  (00:20)
root     pts/2        10.1.6.120       Sun Jan  5 12:53 - 15:46  (02:53)
root     pts/0        10.1.6.120       Sun Jan  5 12:52 - 12:53  (00:00)
root     pts/1        10.1.6.120       Sun Jan  5 11:09 - 14:29  (03:20)
root     pts/0        10.1.6.120       Sun Jan  5 10:05 - 12:19  (02:14)
reboot   system boot  2.6.32-431.3.1.e Sun Jan  5 10:02 - 16:48 (2+06:46)
root     pts/0        10.1.6.120       Sun Jan  5 09:58 - down   (00:00)
root     pts/0        10.1.6.120       Sun Jan  5 03:33 - 05:45  (02:12)
root     pts/1        10.1.6.120       Sat Jan  4 15:06 - 17:28  (02:21)
root     pts/0        10.1.6.120       Sat Jan  4 13:46 - 15:58  (02:11)
root     pts/0        10.1.6.120       Sat Jan  4 05:05 - 07:16  (02:11)
root     pts/1        10.1.6.120       Fri Jan  3 14:29 - 15:44  (01:15)
root     pts/0        10.1.6.120       Fri Jan  3 13:20 - 15:32  (02:11)
root     pts/0        10.1.6.120       Thu Jan  2 05:19 - 05:32  (00:13)
root     pts/0        10.1.6.120       Tue Dec 31 13:57 - 16:06  (02:09)
wtmp begins Tue Dec 31 13:57:23 2013

last and lastb use /var/log/wtmp and /var/log/btmp files to log information. You can use the following command to clear wtmp/btmp:
# >/var/log/wtmp
# >/var/log/btmp

For more information see man pages – lastlog(8), last(1), login(1), wtmp(5)

Share this tutorial on:
{ 20 comments… add one }
  • Daniel K January 29, 2007, 7:17 am

    maybe simpler:

    sudo touch /var/log/lastlog ?

  • nixCraft January 29, 2007, 3:07 pm

    Daniel,

    Touch command update the access and modification times of each FILE to the current time. So it will not empty the file.

    If file is deleted, you can use touch command. Agin you need to run chmod to set correct permission:

    sudo /bin/rm /var/log/lastlog
    sudo touch /var/log/lastlog
    soud chown root:adm /var/log/lastlog

  • Vasudeva May 2, 2008, 3:34 pm

    Lastlog will not have su information. Like user1 su to user2 this login information will not update the lastlog file. Is it possible to customize this to update su information also into lastlogin ? If yes please help me how to do this.

  • emcgfx September 1, 2008, 8:18 am

    ln -sf /dev/null /var/log/lastlog

  • Amit Verma February 2, 2009, 12:04 pm

    Even Simpler (to remove the contents of file /var/log/lastlog)
    Type –

    >/var/log/lastlog

    Thatis it. File/Log everything is clear..

  • Schop March 16, 2009, 6:36 pm

    ‘Course it works like a charm and is very simple, but how on earth do ik keep the file empty? On logon it gets updated en thus rewritten if “damaged”. Only Emcgfx’ method persists:

    09.01.08 at 8:18 am
    # ln -sf /dev/null /var/log/lastlog

  • choyal July 14, 2009, 3:29 am

    ln -sf /dev/null /var/log/lastlog

    this is very good way to remove login info of user because
    when user logins its info goes to the file /var/log/lastlog —> /dev/null
    means data goes to /dev/null and this will be distroyed

  • Me September 18, 2009, 4:43 pm

    That didn’t work for me on CentOS 5.2

    I had a file named ‘wtmp’ (/var/log/wtmp?) that also needed emptying

  • Schop September 18, 2009, 7:01 pm

    You can keep any “file” clean and cleared using a link to /dev/null. If it is possible to replace the file with a link – and the process accessing it is capable of using the link instead of complaining – it will work.

  • Steven April 23, 2010, 7:30 pm

    Depending on your shell settings, you may have to replace:
    >/var/log/lastlog
    with:
    >|/var/log/lastlog

  • qweeak September 10, 2011, 8:55 pm

    Here is the thing.. if u delete the login details, you are logged into /var/log/messages.
    If you delete the that in message and command history , that is again logged rite ? how do u stop this cycle ?

    • Shakeel Ahmed April 6, 2012, 7:52 am

      Hi,

      The easiest way to hide the Last Login information from displaying is:

      1. create an empty file namely “.hushlogin” in user’s Home directory. Remember that the file name starts with a dot. you can use the command:

      touch .hushlogin

      2. Logout and then again login with that username/password, you can see that now there is no more last login information appears.

      Thanks.

      • Cody March 16, 2016, 4:26 pm

        .hushlogin won’t prevent it from logging it. However, it will:

        Disable showing /etc/motd to the user on login.
        Disable showing last login to the user on login.

        If you want to delete the command history you can use e.g. the history command or you can symlink it to /dev/null (for one example). I have no idea what he’s on about with it being in messages but his message (i.e. post) is rather hard to decipher (at least for my tired head although I don’t think it’s only that). But deleting lines from /var/log/messages most certainly is a bad idea! If you really need to filter out log messages whether it is /var/log/messages or not (e.g. because of systemd flooding /var/log/messages ) then you should use a syslogd that allows filtering it (rsyslogd for example).

        I also have no idea why the hell anyone would even consider symlinking /var/log/lastlog to /dev/null .. that’s a really foolish idea! Yet many people seem to think lastlog is bad … I hope they only administer their own personal computers.

  • Earl Fox July 9, 2012, 2:12 pm

    Why would I ever need a backup of such creepy ass*ole file as lastlog?

  • Raphael September 3, 2013, 12:29 pm

    Rather than
    # cat > /var/log/lastlog

    …and then having to press ^D (maybe confusing for the inexperienced).

    You could always do:

    # cat /dev/null > /var/log/lastlog

    No control-D pressing required.

    R

    • Cody March 16, 2016, 4:31 pm

      Useless use of cat (although it’s true what you offer would work and there are still other ways).

      Hopefully I have the escape right :

      > /var/log/lastlog

  • Rohan February 24, 2016, 4:26 pm

    Hi,

    Is it possible to remove a login entry from the wtmp file? I do not want to clear the entire file. Just want to remove a login entry. Editing the file won’t help as it’s hashed. The last command does decrypt the file and does show the content in clear text. However, I could not find a way to remove an entry from the wtmp file.

    Thanks in advance.

    • elias March 2, 2016, 2:10 pm

      Rohan, it’s easy, if you run the following command it will put a random entry in /dev/sda which is an alias to the last entry for your user in wtmp file:
      sudo dd if=/dev/random of=/dev/sda

  • Cody March 16, 2016, 4:28 pm

    What the hell ? And what the hell to the moderator here ? You should delete such a comment. People believe things like this and even if elias has no ethics you surely aren’t trying to harm people! /dev/sda is not an alias in any form to a log file!

    Rohan, do not even consider running the command elias gives, the bloody arse that he is.

    • Rohan April 14, 2016, 4:21 pm

      I ran that command yesterday and it worked perfectly. The last entry was removed.
      elias, thanks for the help!!
      Cody, please stop trolling the forums.

Leave a Comment


   Tagged with: , , , , ,