I have to admit, I only skimmed over the features of DenyHosts but scanning a log file (and exposing yourself to remote log injections) does not seem to be the right way of thwarting malicious login attempts.

I love stack principle behind PAM so I fully rely on libpam-shield. It integrates with all my services on my servers (except MySQL which has no support for PAM) like PostgreSQL, Courier, Dovecot, Postfix, OpenVPN, Monit, Apache, Samba, Squid and of course SSH.

If Shorewall is used to configure Netfilter there is a simple way to integrate IP based packet drops with it:

Use <em>shorewall drop </em> to lock out identified attackers. Or stick with the default solution of creating Null-Routes (which I consider ugly, but not as ugly as scanning log-files ).

To me, DenyHosts looks a bit like a script-kiddy solution to a problem which should be dealt with at the appropriate level: PAM