Lars Behrens wrote: > in my log files I found that for all the hosts which have been banned, I can > find an entry > > 'Did not receive identification string from xxx.xxx.xxx.xxx' > > a while ahead of the login attempts. Obviously there is some kind of scanning. > > All of the banned hosts - and only those - have that entry so it should be > quite save to use that entry as additional criterion to block hosts, but > setting > > 'USERDEF_FAILED_ENTRY_REGEX=(.*Did not receive identification string from.*)' > > does not do the trick. > > Any ideas for me?
Don't waste your time, there is already a regex to match those, is one of the built-in regexes. That regex is used just like the others, there is no way to specify that you want it to ban on one match and the others to follow regular parameters. I've seen that rule alone ban IPs, when the attacker makes several connections. -- René Berber ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
