At the end of my hosts.allow
I have the following:
ALL : ALL \
: spawn (echo "%d" | /usr/bin/mail -s "tcpf\: %d attempt from %h." root) & \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %h."`
But this appears to simply put that text into my auth.log:
mail sshd[63546]: twist 12.34.56.789 to /bin/echo "You are not welcome to use sshd from 12.34.56.789."
On the client side, I only see "Connection closed by remote host" and I do not see the output of the echo. There is nothing in man -k twist