Does a fake SSH server have any purpose security-wise?
The reasons to have such fake SSH servers are multiple. They include such as:
- determining whether you’re under attack
- knowing the users and passwords guessed (which can display the intel the attacker has)
- to see attacker’s actions of interest
- to see attempts of exploitation of the server (might disclose 0days or backdoors)
- to study how the attacker tries to approach the system and so on.
- test client software, including audit / testing / attack tools during development (thanks to Mołot)
You should consider NOT putting up a fake SSH server on your system if you have anything of value in the server, since the fake server might be prone to vulnerabilities as well - one closed port is better than one open service.
It can be used as honeypot/research to collect most used password attempts and the like.
Otherwise, I agree with your assessment, it's an attractive nuisance.
If you are looking for actual protection mechanisms, I recommend "Fail2Ban".
A good use for an open and fake ssh server like this is to set it up on a corporate LAN as a honeypot. Give it an attractive (but not obviously fake) hostname set up syslog forwarding to your SIEM and see if anybody connects to it and what they try to do. Nobody legitimate should be poking around in it (unless you have a hunt team or a red team operation underway).