The regex in sshd-ddos.conf is: ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$ But the lines I see in auth.log are: Did not receive identification string from A.B.C.D port 12345 So the regex need to be updated to something like: ...from <HOST>.*$ m.