On a sensible Debian or Ubuntu install, getting denyhosts is as simple as running:

denyhosts should work as soon as it is installed. However, a few options can be tweaked to make it work nicely. The configuration file is at /etc/denyhosts.conf.

Firstly, set a proper administration email by changing ADMIN_EMAIL. The option RESET_ON_SUCCESS might also be important to you, by setting it to yes the failure count for an IP address will be reset if there is a successful login. If you want the blocks to expire (which is more important if you use synchronisation) then you should tweak PURGE_DENY to a sensible value, for example 1 week.

Synchronisation is one nice feature of denyhosts that means that information on IPs that attempt SSH bruteforcing can be shared between servers. Information about synchronisation can be read in the FAQ but enabling it is as simple as uncommenting the SYNC_SERVER line.  By default, your server will share information on bruteforcers and receive it from other administrators who run denyhosts.

You can check how denyhosts is working by watching the logfile at /var/log/denyhosts.  You can see newly added blocks logged as a line like the below:

new denied hosts: ['202.107.228.xxx']

Of course, you don’t need this as you’ve already disabled SSH password logins and your firewall disables access to port 22 from anywhere except a specially crafted list of IPs.  But for 5 minutes work, it provides some peace of mind.