The entire internet scans all the common ports and this should be expected to continue indefinitely. - HN

see also:

• Brute.Fail / HN- Watch brute force attacks fail in real time

• Implement a firewall on your instances.
• Implement port knocking for sshd. - similar to a secret handshake
• Move sshd to a non standard port to avoid the nmap/bot noise.
• Only log successful logins.
• Any combination of the above.