Attack of the Zombie ssh client

Passively sitting and watching my logs I notice the following repeated thousands of times:

Dec 4 08:12:59 apache sshd[15823]: SSH: Server;Ltype: Version;Remote: <someip>-34052;Protocol: 2.0;Client: libssh-0.1
Dec 4 08:12:59 apache sshd[15823]: SSH: Server;Ltype: Kex;Remote: <someip>-34052;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Dec 4 08:12:59 apache sshd[15823]: SSH: Server;Ltype: Authname;Remote: <someip>-34052;Name: root [preauth]
Dec 4 08:12:59 apache sshd[15823]: Received disconnect from <someip>: 11: Bye Bye [preauth]

Seeing a thousand of anything in my log file besides cron is disconcerting since I run fail2ban. After some research I found the following article: http://taint.org/2008/05/16/165301a.html

According to the article this is insidious because the attack doesn’t log a failure. Its trying to break the host ssh key so it aborts mid transaction. Rather than subject myself to this I figured I could try and add a fail2ban rule and block further attempts. In my /etc/fail2ban/filter.d/sshd.conf file I added the following line to the failregexp:

^%(__prefix_line)sReceived disconnect from <HOST>: 11: Bye Bye \[preauth\]\s*$

Its not perfect but it does what I want. The down side is if you log out legitimatly your fail2ban tolerance in the watch period you will be banned. I’m ok with that imitation. One more attack down… ugh.