In denyhosts version 2.5 the file /etc/denyhosts.conf has the line: SECURE_LOG = /var/log/messages It should read SECURE_LOG = /var/log/pwdfail/current This is easy for an experienced user to fix, but for a newbie, they probably couldn't fix this, and the package would be useless for them.
Don't know what logger are you using, but there's no such thing like /var/log/pwdfail/current here w/ syslog-ng (hardened or not).
I have checked 3 gentoo boxes, they all have a file /var/log/pwdfail/current Here are the contents from one server: Jul 25 09:46:58 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.98 user=root Jul 25 09:47:01 [sshd] error: PAM: Authentication failure for root from 192.168.200.98 Jul 25 17:08:31 [sshd] Invalid user a from ::ffff:70.169.74.73 Jul 25 17:08:31 [sshd] Invalid user b from ::ffff:70.169.74.73 Jul 25 17:08:32 [sshd] Invalid user c from ::ffff:70.169.74.73 Jul 25 17:08:33 [sshd] Invalid user d from ::ffff:70.169.74.73 70.169.74.73 is somebody from Atlanta who was trying to hack into my machine. denyhost parsed this file, and added them to /etc/hosts.deny :) I love denyhosts :)
