Nov 30 06:27:58 ns33XXXXX sshd: Did not receive identification string from 18.104.22.168 ... Nov 30 06:31:07 ns33XXXXX sshd: Connection closed by 22.214.171.124 [preauth] ... Nov 30 06:35:09 ns33XXXXX sshd: Connection closed by 126.96.36.199 [preauth]
So, what does this means?
Some miscreant (surprise!) is hammering at ssh to try to find a username/password combination that gets them into the system. Probably from some botnet doing the same to who knows how many other unsuspecting victims.
This one below means ssh server waited and did not receive what it needed in a timely fashion. This is typically due to connectivity issues. In an ssh connection, the server first provides its identification string, then waits for the client to then provide its identification string. If there is a loss in connection, or the client just bails, this is what you will see in the logs.
If someone uses telnet or netcat to fetch your ssh banner, or other various scans, the logs on the server side will show this as well.
So, I went to fail2ban and increased the values!
This is my /var/log/fail2ban.log.
2015-11-30 13:11:24,144 fail2ban.filter : INFO Set maxRetry = 3 2015-11-30 13:11:24,146 fail2ban.filter : INFO Set findtime = 6000 2015-11-30 13:11:24,146 fail2ban.actions: INFO Set banTime = 6000