Linux Remove or Clear the Last Login Information

Posted on in Categories , , , , last updated January 7, 2014

I am a Fedora Linux user (SysAdmin) and I would like to clear all the login information. How do I clear or remove last login information on Linux operating systems?

The /var/log/lastlog file stores user last login information. This is binary file and act as database times of previous user logins. You need to use lastlog command to formats and prints the contents of the last login log /var/log/lastlog file.

lastlog command

The lastlog command shows the most recent login of all users or of a given user. The Following information is printed using lastlog command:

=> The login-name

=> Port

=> Last login time

Task: Display last login information

Simply type the lastlog command :
$ lastlog
Sample outputs:

Username         Port     From             Latest
root             tty1                      Thu Jan 25 15:23:50 +0530 2007
daemon                                     **Never logged in**
bin                                        **Never logged in**
sys                                        **Never logged in**
sync                                       **Never logged in**
vivek            tty1                      Sat Jan 27 22:10:36 +0530 2007
pdnsd                                      **Never logged in**
sshd                                       **Never logged in**
messagebus                                 **Never logged in**
bind                                       **Never logged in**
sweta           tty1                      Sat Jan 27 19:55:22 +0530 2007

Note: If the user has never logged in the message “**Never logged in**” will be displayed instead of the port and time.

Task: Clear last login information by deleting /var/log/lastlog

Simply overwrite /var/log/lastlog file. You must be the root user. First make a backup of /var/log/lastlog:
# cp /var/log/lastlog /root
Now overwrite file using any one of the following command:
# >/var/log/lastlog
OR
# cat > /var/log/lastlog

Press CTR+D to save the changes.

last and lastb commands

Use last or lastb command to display listing of last logged in users:
$ last
OR
$ lastb
Sample outputs:

root     pts/1        10.1.6.120       Tue Jan  7 16:43   still logged in   
root     pts/0        10.1.6.120       Tue Jan  7 15:52   still logged in   
root     pts/0        10.1.6.120       Tue Jan  7 11:20 - 15:07  (03:47)    
root     pts/1        10.1.6.120       Tue Jan  7 07:07 - 09:50  (02:43)    
root     pts/0        10.1.6.120       Tue Jan  7 05:00 - 07:22  (02:21)    
root     pts/0        10.1.6.120       Mon Jan  6 14:16 - 16:36  (02:20)    
root     pts/0        10.1.6.120       Sun Jan  5 16:37 - 17:01  (00:23)    
root     pts/0        10.1.6.120       Sun Jan  5 15:12 - 15:39  (00:26)    
root     pts/0        10.1.6.120       Sun Jan  5 14:45 - 15:05  (00:20)    
root     pts/2        10.1.6.120       Sun Jan  5 12:53 - 15:46  (02:53)    
root     pts/0        10.1.6.120       Sun Jan  5 12:52 - 12:53  (00:00)    
root     pts/1        10.1.6.120       Sun Jan  5 11:09 - 14:29  (03:20)    
root     pts/0        10.1.6.120       Sun Jan  5 10:05 - 12:19  (02:14)    
reboot   system boot  2.6.32-431.3.1.e Sun Jan  5 10:02 - 16:48 (2+06:46)   
root     pts/0        10.1.6.120       Sun Jan  5 09:58 - down   (00:00)    
root     pts/0        10.1.6.120       Sun Jan  5 03:33 - 05:45  (02:12)    
root     pts/1        10.1.6.120       Sat Jan  4 15:06 - 17:28  (02:21)    
root     pts/0        10.1.6.120       Sat Jan  4 13:46 - 15:58  (02:11)    
root     pts/0        10.1.6.120       Sat Jan  4 05:05 - 07:16  (02:11)    
root     pts/1        10.1.6.120       Fri Jan  3 14:29 - 15:44  (01:15)    
root     pts/0        10.1.6.120       Fri Jan  3 13:20 - 15:32  (02:11)    
root     pts/0        10.1.6.120       Thu Jan  2 05:19 - 05:32  (00:13)    
root     pts/0        10.1.6.120       Tue Dec 31 13:57 - 16:06  (02:09)    

wtmp begins Tue Dec 31 13:57:23 2013

last and lastb use /var/log/wtmp and /var/log/btmp files to log information. You can use the following command to clear wtmp/btmp:
# >/var/log/wtmp
# >/var/log/btmp

For more information see man pages – lastlog(8),last(1),login(1),wtmp(5)

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

26 comment

  1. Daniel,

    Touch command update the access and modification times of each FILE to the current time. So it will not empty the file.

    If file is deleted, you can use touch command. Agin you need to run chmod to set correct permission:

    sudo /bin/rm /var/log/lastlog
    sudo touch /var/log/lastlog
    soud chown root:adm /var/log/lastlog

  2. Lastlog will not have su information. Like user1 su to user2 this login information will not update the lastlog file. Is it possible to customize this to update su information also into lastlogin ? If yes please help me how to do this.

  3. ‘Course it works like a charm and is very simple, but how on earth do ik keep the file empty? On logon it gets updated en thus rewritten if “damaged”. Only Emcgfx’ method persists:

    09.01.08 at 8:18 am
    # ln -sf /dev/null /var/log/lastlog

  4. ln -sf /dev/null /var/log/lastlog

    this is very good way to remove login info of user because
    when user logins its info goes to the file /var/log/lastlog —> /dev/null
    means data goes to /dev/null and this will be distroyed

  5. You can keep any “file” clean and cleared using a link to /dev/null. If it is possible to replace the file with a link – and the process accessing it is capable of using the link instead of complaining – it will work.

  6. Here is the thing.. if u delete the login details, you are logged into /var/log/messages.
    If you delete the that in message and command history , that is again logged rite ? how do u stop this cycle ?

    1. Hi,

      The easiest way to hide the Last Login information from displaying is:

      1. create an empty file namely “.hushlogin” in user’s Home directory. Remember that the file name starts with a dot. you can use the command:

      touch .hushlogin

      2. Logout and then again login with that username/password, you can see that now there is no more last login information appears.

      Thanks.

      1. .hushlogin won’t prevent it from logging it. However, it will:

        Disable showing /etc/motd to the user on login.
        Disable showing last login to the user on login.

        If you want to delete the command history you can use e.g. the history command or you can symlink it to /dev/null (for one example). I have no idea what he’s on about with it being in messages but his message (i.e. post) is rather hard to decipher (at least for my tired head although I don’t think it’s only that). But deleting lines from /var/log/messages most certainly is a bad idea! If you really need to filter out log messages whether it is /var/log/messages or not (e.g. because of systemd flooding /var/log/messages ) then you should use a syslogd that allows filtering it (rsyslogd for example).

        I also have no idea why the hell anyone would even consider symlinking /var/log/lastlog to /dev/null .. that’s a really foolish idea! Yet many people seem to think lastlog is bad … I hope they only administer their own personal computers.

  7. Rather than
    # cat > /var/log/lastlog

    …and then having to press ^D (maybe confusing for the inexperienced).

    You could always do:

    # cat /dev/null > /var/log/lastlog

    No control-D pressing required.

    R

  8. Hi,

    Is it possible to remove a login entry from the wtmp file? I do not want to clear the entire file. Just want to remove a login entry. Editing the file won’t help as it’s hashed. The last command does decrypt the file and does show the content in clear text. However, I could not find a way to remove an entry from the wtmp file.

    Thanks in advance.

    1. Rohan, it’s easy, if you run the following command it will put a random entry in /dev/sda which is an alias to the last entry for your user in wtmp file:
      sudo dd if=/dev/random of=/dev/sda

  9. What the hell ? And what the hell to the moderator here ? You should delete such a comment. People believe things like this and even if elias has no ethics you surely aren’t trying to harm people! /dev/sda is not an alias in any form to a log file!

    Rohan, do not even consider running the command elias gives, the bloody arse that he is.

  10. “Press CTR+D to save the changes.”

    not really. this will just exit your shell. Maybe you meant sync, but this is not really useful these days since file system writes are buffered, so maybe you want to dismount your discs etc…. Probably not.

    cat lastlog | gzip – -9 -c > /root/lastlog.gz
    maybe nuke it afterwards with
    > lastlog?

    Look my 41Gb last log file dropped to tiny file.
    -rw-r–r–. 1 root root 41G Aug 24 16:28 lastlog
    -rw-r–r– 1 root root 41M Aug 24 16:35 lastlog.gz

      1. “nixCraft – Linux and Unix tutorials for new and seasoned sysadmin.”

        In the case people don’t get banned for providing misleading information, you should add a clear warning:

        If you are a new user to Unix/Linux, ignore our slogan, please do not follow advice here unless checked by a trusted person with good understanding and knowledge of Unix/Linux, since some comments can and WILL damage at least your data. Also, sorry about this defeating the purpose of the website.. However, please donate!

        1. Hello,

          I get 100+ comments here every day. It is next to impossible to look everything out there. Having said that, I am going to add report comment option to all comments on nixCraft. This is useful when people post dangerous commands in the comment section. When the number of reports reaches the threshold, the comment will removed from live site and return to the moderation queue. Should it be approved once more by a moderator, the comment will not be returned to pending status regardless of further reports, but the reports will continue to be counted. I appreciate your feedback.

Leave a Comment