Fail2Ban is great - I've used it for more than just blocking brute force attacks on ssh (although a real security expert might say this is the wrong tool to use).
Yep, I also use it to detect repeat errors on our own application logs and block offending IPs.
Fail2ban has a reasonably easy to tweak detection and blocking rules, plus lots of available ready-made ones that do the job. If you're comfortable with regular expressions (which most people on HN probably are), then it's really straight-forward to write your own rules.
The only problem I encountered with it is when you start it up and you have a huge amount of data in your log files. It can cause 100% cpu usage for a long time until it digests the whole thing...
* PermitRootLogin=without-password/prohibit-password now bans all
interactive authentication methods, allowing only public-key,
hostbased and GSSAPI authentication (previously it permitted
keyboard-interactive and password-less authentication if those
were enabled).
It mentions that previously without-password it would still allow keyboard-interactive logins. Should be fairly easy to fake for a botnet!
If for some bizarre reason you allow remote root logins over ssh be sure that that password is as strong as possible. Machine generated random strings are good, at least 12 characters to be sure.
If you turn off root logins but still allow user logins the remote attacking system will have no way to detect that fact and will still attempt to brute force you.
I think monitoring your outgoing traffic would give you a clue. Also if what I read on Ars is correct, this botnet preys on weak root passwords, so disabling remote root or using keys would be great ways to protect yourself against this botnet.
