discover you're being sniffed
This is exactly what SSH protects against. As long as you carefully verify the host key, it doesn't matter if someone is reading your traffic: it's all encrypted.
disconnecting before any sensitive information is disclosed
Again, standard SSH will be fine. Host key checking is one of the first things done when establishing a SSH connection; if you cancel it, the connection is closed immediately without transmitting any authentication data.
For example, if you refuse to connect in case the fingerprint isn't the one you expected, do MITM still work?
The attacker will not receive any "private" SSH data, if that's what you mean. See above – checking of host key is one of the first things done. Nothing else is sent until the server is verified.
maybe there's a way of garbling the data so it doesn't make sense or something?
It's called "encryption", and it happens to be a core part of SSH. :) The attacker will not be able to read anything unless you accept their hostkey instead of the real one. Similarly, encryption along with integrity check (using HMAC) makes it impossible to insert packets.
I'll admit that I'm not a cryptographer or anything. But IMHO, if you carefully check the host key fingerprint, then SSHv2 is as secure as it gets.
If it weren't secure, it would have been fixed/replaced/upgraded. This has happened once: SSH v1 was replaced by SSH v2.
This means that you must disable SSH v1 in both the server and client.
SSH version 1 is very insecure, and even though most clients are configured to use SSHv2 first, they would still fall back to v1 if a server doesn't offer v2. This introduces an opportunity for a MITM attack... although I don't remember the details, it has something to do with the attacker generating a v1 key with a very similar fingerprint.
For OpenSSH, put
Protocol 2
in your config file.There's a very small possibility that one of the algorithms used by SSH is broken. But if someone manages to break RSA or DH, the world will have bigger problems to worry about than your server's security... (Besides, there are alternative algorithms.)
By the way, OpenSSH v5.8 has switched from DH and DSA to ECDH and ECDSA as its primary algorithms (for key exchange and host keys respectively).