I am seeing some scanning for SSH servers on port 8080 in web server logs for web servers that listen on this port. So far, I dont see any scans like this for web servers listening on port 80. In web server logs, the scan is reflected as an Invalid Method (error 501) as the web server only sees the banner provided by the SSHclient, and of course can not respond.
For example:
222.186.21.180 - - [03/Aug/2015:08:31:55 +0000] SSH-2.0-libssh2_1.4.3 501 303 - -
This IP address in this example is for now the most prolific source of these scans:
inetnum: 222.184.0.0 - 222.191.255.255netname: CHINANET-JSdescr: CHINANET jiangsu province networkdescr: China Telecomdescr: A12,Xin-Jie-Kou-Wai Streetdescr: Beijing 100088country: CN
With very frequent scans for SSH servers, users often move them to an alternative port. I am not aware of a common configuration moving them to port 8080, but it is certainly possible that this has become somewhat a common escape port.
Please let us know if you have any details to fill in. Any other sources for these scans? Any reason why someone would use port 8080 for an ssh server? If you use an alternative port, one more random would certainly be better, in particular if the port is not in default port lists (like the one used by nmap).
As usual, hiding your SSH server on an off-port is good. But you ceratinlyshould still use keys, not passwords, to authenticate and follow other best practices in configuring and maintaining your SSH server.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.