For me, this works better, as I get tons of legit log entries, matching the "Connection closed" regex, at least in OpenSSH 6.6.1 variations. Believe it also covers the new OpenSSH log format, which includes "port":
^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
^%(__prefix_line)sReceived disconnect from <HOST>: (port \d*: ){,1}11: (Bye Bye){,1} \[preauth\]\s*$
$ cat /etc/*relea* | grep -i desc
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
$ fail2ban-regex /var/log/auth.log filter.d/sshd.conf
Running tests
=============
Use failregex file : filter.d/sshd.conf
Use log file : /var/log/auth.log
Results
=======
Failregex: 39 total
|- #) [# of hits] regular expression
| 12) [16] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Did not receive identification string from <HOST>\s*$
| 13) [23] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Received disconnect from <HOST>: (port \d*: ){,1}11: (Bye Bye){,1} \[preauth\]\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [62412] MONTH Day Hour:Minute:Second
`-
Lines: 62412 lines, 0 ignored, 39 matched, 62373 missed
Missed line(s):: too many to print. Use --print-all-missed to print all 62373 lines
$ grep "Did not receive identification string from" /var/log/auth.log | wc -l
16
$ grep "Received disconnect from" /var/log/auth.log | grep -v x.x.x.x | wc -l
23