Common commands useful when debugging in rescue mode

Checking login sessions for various server can be done using

sudo less /var/log/auth.log

View the most recent logins

If you just want to check the most recent logins, it’s even simpler. Back in the command-line, type last and press Enter.

The output will look something like this:

root     pts/0        12.34.567.89    Fri Jan  8 15:30   still logged in
root     pts/0        12.34.567.89    Fri Jan  8 15:13 - 15:29  (00:16)
reboot   system boot  5.4.0-1009-kvm   Fri Jan  8 15:07   still running

The last tool pulls its data from /var/log/wtmp, which is written to each time a user logs in. It’ll show username, tty, IP address, date and time, and session start/stop times.

If that’s too verbose, you can apply filters to the command with the following syntax:

last [OPTIONS] [USER] [<TTY>...]

Let’s look at an example. If we wanted to view all of the logins from the root user, we could run:

last root
root     pts/0        12.345.678.90    Fri Jan  8 15:30   still logged in
root     pts/0        12.345.678.90    Fri Jan  8 15:13 - 15:29  (00:16)

See when users last logged in

If you notice an unauthorized change to the system, it’s often useful to see when each user last logged in. This way, you can determine who made the adjustment. We can do this via the lastlog command, which pulls data from /etc/log/lastlog and sorts them by /etc/password entries:

Username         Port     From             Latest
root             pts/0    12.345.678.90    Fri Jan  8 15:30:06 +0000 2021
daemon                                     **Never logged in**
bin                                        **Never logged in**
sys                                        **Never logged in**
sync                                       **Never logged in**
bitlaunch        pts/1    Fri Jan  8 16:09:53 +0000 2021
hack0r           pts/1    Fri Jan  8 16:10:20 +0000 2021

You’ll notice quite a few users with a **Never logged in** entry in the Latest column. This is normal on account of them being system users.

Mounting the drive(s) in the Rescue System

First, you should determine the partition identifiers of your system by running the command lsblk.

root@rescue ~ # lsblk
loop0     7:0    0     4G  1 loop
sda       8:0    0 447.1G  0 disk
├─sda1    8:1    0     4G  0 part
├─sda2    8:2    0   512M  0 part
└─sda3    8:3    0 442.6G  0 part
sdb       8:16   0 447.1G  0 disk
└─sdb1    8:17   0   446G  0 part

Now you can mount the correct partition within an empty folder, for example, using /mnt.

mount /dev/md2 /mnt

Resetting the root password

To reset the root password of an installed Linux or BSD system, you need to mount the system partition as explained in the previous section of this article: “Mounting the Drive(s) in the Rescue System”. Then use chroot to switch into the root environment of the mounted system.

chroot-prepare /mnt
chroot /mnt

You can now change the password of the user “root”.


Finally, exit the root environment.

Ubuntu Rescue Guide

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.