NukeCops - man hosts.deny

So you want to ban IP addresses in your /etc/hosts.deny file after you've seen our IP Ban list. You'd like to use wildcards or certain patterns instead of the entire IP, and don't know how? I've taken the liberty to run a "man hosts.deny" on my server. Here are the results...

The access control language implements the following patterns:

A string that begins with a `.' character. A host name is matched if the last components of its name match the specified pattern. For example, the pattern `.tue.nl' matches the host name `wzv.win.tue.nl'.
A string that ends with a `.' character. A host address is matched if its first numeric fields match the given string. For example, the pattern `131.155.' matches the address of (almost) every host on the Eindhoven Univer- sity network (131.155.x.x).
A string that begins with an `@' character is treated as an NIS (formerly YP) netgroup name. A host name is matched if it is a host member of the specified netgroup. Netgroup matches are not supported for daemon process names or for client user names.
An expression of the form `n.n.n.n/m.m.m.m' is interpreted as a `net/mask' pair. An IPv4 host address is matched if `net' is equal to the bitwise AND of the address and the `mask'. For example, the net/mask pattern `131.155.72.0/255.255.254.0' matches every address in the range `131.155.72.0' through `131.155.73.255'.
An expression of the form `[n:n:n:n:n:n:n:n]/m' is interpreted as a `[net]/prefixlen' pair. An IPv6 host address is matched if `prefixlen' bits of `net' is equal to the `prefixlen' bits of the address. For example, the [net]/prefixlen pattern `[3ffe:505:2:1::]/64' matches every address in the range `3ffe:505:2:1::' through `3ffe:505:2:1:ffff:ffff:ffff:ffff'.
A string that begins with a `/' character is treated as a file name. A host name or address is matched if it matches any host name or address pattern listed in the named file. The file format is zero or more lines with zero or more host name or address patterns separated by whitespace. A file name pattern can be used anywhere a host name or address pattern can be used.
Wildcards `*' and `?' can be used to match hostnames or IP addresses. This method of matching cannot be used in conjunction with `net/mask' matching, hostname matching beginning with `.' or IP address matching ending with `.'.

Now for some wildcards:

ALL The universal wildcard, always matches.
LOCAL Matches any host whose name does not contain a dot character.
UNKNOWN Matches any user whose name is unknown, and matches any host whose name or address are unknown. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure out what type of network it is talking to.
KNOWN Matches any user whose name is known, and matches any host whose name and address are known. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure out what type of network it is talking to.
PARANOID Matches any host whose name does not match its address. When tcpd is built with -DPARANOID (default mode), it drops requests from such clients even before looking at the access control tables. Build without -DPARANOID when you want more control over such requests.