/etc/hosts.deny: ALL: ALL: spawn ( echo attempt from %h %a to %d at `date` | tee -a /var/log/access.log | mail -s "illegal access %h to %d" jurriaan@middle.of.nowhere ) : twist /bin/cat /usr/local/etc/access_message
/usr/local/etc/access_message: 220 middle.of.nowhere FTP server (Version 0.0.01Alpha with very special bugs) ready.... Just Kidding! This attempt has been logged. Feel free to depart at your earliest convenience.
However, I may have been reading too many BOFH stories :-)
Ugh. Double Ugh. Triple Ugh. Class, what did Mr. Juriaan do wrong? 1) spawn-ing off shell processes, this leads to a possible denail of service if I flood his port 21 with connections (using octopus for example). 2) sending email for each connection attempt. 10-20 minutes of packet flooding to port 21 would kill his server 3) using twist to spawn off a shell command to print a banner, when tcp_wrappers has a built in facility to print banners. My weekly column will actually be covering this issue on Nov 15th. As far as replacing banners goes, most attackers will just go for a non-subtle approach and try their exploit against every machine, not caring if it works or not, chances are they'll get at least a few. There are much more intelligent things to do with banners/tcp_wrappers.
Good luck, Jurriaan
-Kurt