diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -1297,13 +1297,22 @@
 				    SO_LINGER, &l, sizeof(l));
 				(void )close(*newsock);
 				/*
-				 * Mimic message from libwrap's refuse()
-				 * exactly.  sshguard, and supposedly lots
-				 * of custom made scripts rely on it.
+				 * Mimic message from libwrap's refuse() as
+				 * precise as we can afford.  The authentic
+				 * message prints the IP address and the
+				 * resolved hostname in parenthesis.  We can't
+				 * go into name resolution in the main server
+				 * loop.  Neither logging resolved name makes
+				 * any sense for an incident investigation.
+				 * But we preserve the refuse() format as close
+				 * as possible to not break auditing software
+				 * like sshguard and supposedly lots of custom
+				 * made log parsing scripts.  Thus we print the
+				 * IP address twice.
 				 */
 				syslog(LOG_WARNING,
 				    "refused connect from %s (%s)",
-				    eval_client(&req),
+				    eval_hostaddr(req.client),
 				    eval_hostaddr(req.client));
 				debug("Connection refused by tcp wrapper");
 				continue;