Fail2ban: How to block Bad protocol version?

This are no failures in sense of authentication (because login does not take place).
But if you will that yet, just copy filter.d/sshd.conf into filter.d/sshd.local and add following to the failregex:

^%(__prefix_line)sBad protocol version identification '.*' from <HOST> port \d+\s*$
^%(__prefix_line)sDid not receive identification string from <HOST>\s*$

Hi @sebres,
Could we think about adding the Bad protocol version rule to the SSHd filter please ?
I'm also facing these messages...
Bad protocol version identification '.........' from A.B.C.D port 1234
Thank you very much 👍

I've submitted PR #2404 for this :)

Simple script to generate such a log:

 watch -n 0.01 curl -m 1 127.0.0.1:22

Potential dos/ddos for sshd :warning: I thinks it's urgent

Fix (#2404) has been merged into 0.10/0.11 for mode ddos or aggressive.

Potential dos/ddos for sshd warning I thinks it's urgent

Well, DDOS is potentially possible for any service (sshd is not an exception here), and it is also effectively solvable using other tools, for example special rules like limiting the connection rate (total request per IP/subnet per minutes, SYN attempts on sshd or all ports), prohibiting of the port-scanning, etc.

Primary goals of Fail2ban are authentication issues, therefore enclosed in a mentioned modes only, so this is now enough as configuration to enable it (if the filter/fail2ban becomes upgraded to 0.10.5):

[sshd]
mode = aggressive
enabled = true

For fail2ban \<= 0.10.5 (but >= 0.10):

[sshd]
mode = aggressive
failregex = %(known/failregex)s
            ^Bad protocol version identification '.*' from <HOST>
enabled = true

For 0.9 and below see my comment above.