Quickly discover who is logged in and what he is doing, using small, reliable commands. 16.11.2025 | reading time: 2 min On a busy server, knowing who is logged in can save time and prevent surprises; run a few small commands and see live results. Run a fast check Do this now to see active sessions; open a terminal and run the following demo to get immediate feedback. ```bash $ w 10:12:34 up 3 days, 4:50, 2 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT alice pts/0 192.168.1.10 09:12 1:23 0.05s 0.02s -bash bob pts/1 192.168.1.11 09:20 0.01s 0.10s 0.01s sshd: bob [priv] ``` Next, run `who` for a concise list and `users` for a quick username-only view. Check login history Inspect recent logins with `last`; it reads the system wtmp file and shows past sessions, which helps track reconnects and unexpected access. ```bash $ last -n 5 alice pts/0 192.168.1.10 Sun Nov 16 09:12 still logged in bob pts/1 192.168.1.11 Sun Nov 16 09:20 - 09:50 (00:30) reboot system boot 5.4.0-100-generic Sun Nov 16 08:00 - 10:12 (02:12) ``` Read top to bottom to follow the timeline. Useful options to remember Use `who -uH` to include idle times and process IDs; use `w -h` to hide the header when scripting; combine `last` with `-f` to point at alternate wtmp files for forensic work. Beyond simple checks If a service supports sessions, inspect related processes or network sockets to verify real activity; for example, correlate `ss -tnp` with `ps` to find which SSH child belongs to a logged-in user. When to act If an unexpected user appears, investigate immediately; check login source, session PID and shell history, then lock or disable the account if necessary to contain a breach. Keep learning Mastering these tools is practical and fast; next, practice automating reports and alerts so he always knows who is on critical systems. Join Bits & Bytes Academy First class LINUX exam preparation. utilities processes security troubleshooting
