The failed login attempts for root and restricted users are not counted correctly (at least on my Gentoo systems with python 2.5 and denyhosts-2.6-r1). Setting, e.g.
DENY_THRESHOLD_ROOT = 1
will not block hosts after 2 failed logins. Instead, the value for DENY_THRESHOLD_INVALID is used. I narrowed this problem down to the way invalid users are handled. On my system, I have lots of those lines
sshd[<pid>]: error: PAM: Authentication failure for root from <ip address>
with matches FAILED_ENTRY_REGEX3. Because this regexp does not have a 'invalid' field, DenyHosts::is_valid() will return 'invalid'. Subsequently, LoginAttempt::add() will test this 'invalid' flag. If the latter is True, only the 'invalid host list' is updated and neither 'restricted hosts' nor 'root hosts'.
The attached patch solves the problem by modifying DenyHosts::is_valid() to only set the 'invalid' flag if such a field exists in the matched regexp. Otherwise (e.g. FAILED_ENTRY_REGEX3) it does not set the flag. After this modification, DENY_THRESHOLD_ROOT and DENY_THRESHOLD_RESTRICTED work as expected.