Kyle Willmon - 2011-05-24

This actually seems like a good thing to me in most cases. More proof that a host is malicious. Obviously, I can see the cases where this is not desirable.

If this is not the desired action, I would suggest giving DenyHosts some method of determining what log messages are local and what log messages came in from remote hosts. Keep in mind that DenyHosts simply watches /var/log/auth.log (or whatever file is listed in the configs) and matches it against a number of regex patterns. I would suggest directing remote host logs to a separate file with syslog.