When running denyhosts on a system running as a central syslog server for multiple systems denyhosts will block access to its own server based on login failure to the other servers.
This actually seems like a good thing to me in most cases. More proof that a host is malicious. Obviously, I can see the cases where this is not desirable.
If this is not the desired action, I would suggest giving DenyHosts some method of determining what log messages are local and what log messages came in from remote hosts. Keep in mind that DenyHosts simply watches /var/log/auth.log (or whatever file is listed in the configs) and matches it against a number of regex patterns. I would suggest directing remote host logs to a separate file with syslog.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This actually seems like a good thing to me in most cases. More proof that a host is malicious. Obviously, I can see the cases where this is not desirable.
If this is not the desired action, I would suggest giving DenyHosts some method of determining what log messages are local and what log messages came in from remote hosts. Keep in mind that DenyHosts simply watches /var/log/auth.log (or whatever file is listed in the configs) and matches it against a number of regex patterns. I would suggest directing remote host logs to a separate file with syslog.