Recently, My SSH log summaries for my Ubuntu 12.04 servers in Logwatch have started showing entries for "11: Normal Shutdown, Thank you for playing [preauth]" along with the "11: Bye Bye [preauth]" and "11: disconnected by user" messages they had been showing previously.
I have not seen this message in my logs before the past few weeks, nor have I seen it on my older servers which are stuck on Ubuntu 10.04. I have googled this message and can't find any clear explanations there either.
The IPs attempting to login and receiving this message are random hack attempts, and judging from the preauth I assume (hope) they are not successful, but I would like to know exactly what this message means and how it differs from others to be sure.
EDIT for additional information: My servers have password authentication and root authentication both disabled
Best Answer
When the ssh client does a "normal" connection shutdown, it sends a packet with a message in it. When the ssh daemon gets such a packet when it's not expecting it -- in this case, before the user managed to authenticate -- it logs the message. (Older versions of OpenSSH did not do this.) So your surmise is exactly correct: it's a side effect of a brute-force ssh password-guessing attack. You should probably be running something like fail2ban or sshguard to block these in iptables; even if you think everything is correctly configured to disallow passwords, it's well to have a second layer of defense.