This is not unique to Cloudflare, Level3 or any of the other networks I've seen mentioned in this thread. The entire internet scans all the common ports and this should be expected to continue indefinitely. If this is causing alerts from your logging, there are a few options:

- Implement a firewall on your instances.

- Implement port knocking for sshd.

- Move sshd to a non standard port to avoid the nmap/bot noise.

- Only log successful logins.

- Any combination of the above.

There are pros and cons to each item so you would have to decide which combination is the most appropriate and least friction for your organization. If leaving the port exposed consider enforcing key based authentication and disabling password authentication. For high risk accounts such as monitoring accounts that use passwordless unrestricted sudo, you can even restrict what networks the keys are valid from.

My favorite is to implement a tarpit while moving the ssh port.

Does that mean that you automatically block IPs that try to login on port 22 (since they are obviously malicious/port scannners)? If yes, is there any specialized daemon for that or are you using firewall rules? Or are you running a SSH honeypot on port 22?

I'm guessing that the person you replied to is referring to the same.