Why doesn't openssh have this kind of feature built in by default? I've always been put off tools such as denyhosts or its alternatives because they seem, well, a bit hacky.
You have to have a process continuing to run in the background; if it somehow crashes then you lose the protection.
They work by tailing /var/log/auth.log. That requires you to have configured syslog to log to the right place, and you have to be careful to synchronise the reloading of the log file with any log rotation that takes place.
ISTR a bug a while back where a remote attacker could take control of the tool by using a specially crafted user name, to exploit a bug in the regular expression parsing library that the program used.
I'd feel much safer if the mechanism for detecting these kind of attacks was built into OpenSSH itself, leaving the policy up to third party plugins.