It is intended to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.

It records information about their originating IP addresses and compares the number of invalid attempts to a user-specified threshold.

In July 2007, The Register reported that from May until July that year, "compromised computers" at Oracle UK were listed among the ten worst offenders for launching brute force SSH attacks on the Internet, according to public DenyHosts listings.

[1] Daniel B. Cid wrote a paper showing that DenyHosts, as well the similar programs Fail2ban and BlockHosts, were vulnerable to remote log injection, an attack technique similar to SQL injection, in which a specially crafted user name is used to trigger a block against a site chosen by the attacker.

[6] An independent and separate fork was started at the almost-identically named DenyHost SourceForge project site with the release of a different version 2.7 in May 2014.