Common commands useful when debugging in rescue mode
Checking login sessions for various server can be done using
sudo less /var/log/auth.log
View the most recent logins
If you just want to check the most recent logins, it’s even simpler. Back in the command-line, type last
and press Enter.
The output will look something like this:
root pts/0 12.34.567.89 Fri Jan 8 15:30 still logged in
root pts/0 12.34.567.89 Fri Jan 8 15:13 - 15:29 (00:16)
reboot system boot 5.4.0-1009-kvm Fri Jan 8 15:07 still running
The last
tool pulls its data from /var/log/wtmp
, which is written to each time a user logs in. It’ll show username, tty, IP address, date and time, and session start/stop times.
If that’s too verbose, you can apply filters to the command with the following syntax:
last [OPTIONS] [USER] [<TTY>...]
Let’s look at an example. If we wanted to view all of the logins from the root user, we could run:
last root
OUTPUT:
root pts/0 12.345.678.90 Fri Jan 8 15:30 still logged in
root pts/0 12.345.678.90 Fri Jan 8 15:13 - 15:29 (00:16)
See when users last logged in
If you notice an unauthorized change to the system, it’s often useful to see when each user last logged in. This way, you can determine who made the adjustment. We can do this via the lastlog
command, which pulls data from /etc/log/lastlog
and sorts them by /etc/password
entries:
lastlog
Username Port From Latest
root pts/0 12.345.678.90 Fri Jan 8 15:30:06 +0000 2021
daemon **Never logged in**
bin **Never logged in**
sys **Never logged in**
sync **Never logged in**
bitlaunch pts/1 83.253.230.46 Fri Jan 8 16:09:53 +0000 2021
hack0r pts/1 83.253.230.46 Fri Jan 8 16:10:20 +0000 2021
You’ll notice quite a few users with a **Never logged in**
entry in the Latest
column. This is normal on account of them being system users.
Mounting the drive(s) in the Rescue System
First, you should determine the partition identifiers of your system by running the command lsblk
.
root@rescue ~ # lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 4G 1 loop
sda 8:0 0 447.1G 0 disk
├─sda1 8:1 0 4G 0 part
├─sda2 8:2 0 512M 0 part
└─sda3 8:3 0 442.6G 0 part
sdb 8:16 0 447.1G 0 disk
└─sdb1 8:17 0 446G 0 part
Now you can mount the correct partition within an empty folder, for example, using /mnt
.
mount /dev/md2 /mnt
Resetting the root password
To reset the root password of an installed Linux or BSD system, you need to mount
the system partition as explained in the previous section of this article: “Mounting the Drive(s) in the Rescue System”. Then use chroot
to switch into the root environment of the mounted system.
chroot-prepare /mnt
chroot /mnt
You can now change the password of the user “root”.
passwd
Finally, exit the root environment.
exit