[fail2ban] Как добавить новое сочетание для срабатывания fail2ban?

Стоит fail2ban, и отлично защищает по ssh. Но нашелся странный бот, на попытки которого fail2ban не реагирует:

Apr 12 07:36:27 server sshd[3842]: SSH: Server;Ltype: Version;Remote: 199.16.155.2-58107;Protocol: 2.0;Client: libssh-0.2
Apr 12 07:36:27 server sshd[3842]: SSH: Server;Ltype: Kex;Remote: 199.16.155.2-58107;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Apr 12 07:36:28 server sshd[3842]: SSH: Server;Ltype: Authname;Remote: 199.16.155.2-58107;Name: root [preauth]
Apr 12 07:36:28 server sshd[3842]: Received disconnect from 199.16.155.2: 11: Bye Bye [preauth]
Apr 12 07:36:32 server sshd[3846]: SSH: Server;Ltype: Version;Remote: 199.16.155.2-59926;Protocol: 2.0;Client: libssh-0.2
Apr 12 07:36:32 server sshd[3846]: SSH: Server;Ltype: Kex;Remote: 199.16.155.2-59926;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Apr 12 07:36:33 server sshd[3846]: SSH: Server;Ltype: Authname;Remote: 199.16.155.2-59926;Name: root [preauth]
Apr 12 07:36:33 server sshd[3846]: Received disconnect from 199.16.155.2: 11: Bye Bye [preauth]

Не разобрался с языком как добавитт строку в /etc/fail2ban/filter.d/sshd.conf
Там есть:

failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[<HOST>\] .* POSSIBLE BREAK-IN ATTEMPT\!\s*
            ^%(__prefix_line)sUser \S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$

Что добавить чтоб ловить таких ботов?