Carlos E. R. wrote:

ROTFL!

But where are they getting that string from?

I tried adding your code, modified, to /etc/hosts.allow:

#sshd : my.remote.ip : ALLOW #sshd : LOCAL : ALLOW sshd : ALL : twist /bin/echo -e "\n\n\tAccess Denied from %h\tSo kindly FOADAH\n";sleep 10

<snip>

So... the log entry is entirely local. They don't get any text message, but your log is filled with refuse :-p

You'd better modify that line of yours ;-)

Carlos, Glad I didn't go with my first thought: sshd : ALL : twist /bin/echo "FOADAH"; cat /usr/bin/mplayer There are two rather significant issues with the host.allow handling. First, there is a hell-of-a-lot-of difference between the workings and syntax of the files between 10.3 and 11.0 (similar to zypper changes) and second, before we can direct the string back to the attacker, we have to overcome the default redirection of everything to /dev/null. Supposedly twist was a way of handling it of ftp, etc.., but not for ssh. I don't know why sshd is different in that regard, but it is.. -- David C. Rankin, J.D.,P.E. | openSoftware und SystemEntwicklung Rankin Law Firm, PLLC | Countdown for openSuSE 11.1 www.rankinlawfirm.com | http://counter.opensuse.org/11.1/small -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org