I run ossec on my server and periodically I receive a warning like this:
Received From: myserver->/var/log/auth.log
Rule: 5701 fired (level 8) -> "Possible attack on the ssh server (or version gathering)."
Portion of the log(s):
Nov 19 14:26:33 myserver sshd[2105]: Bad protocol version identification 'GET /robots.txt HTTP/1.1' from 66.249.73.226
The IP address always corresponds to a google crawler. But why in the world would googlebot be trying to index my SSH server? We run SSH on the standard, well-known port (22), so it seems like google would know better than to look for a web server there. And we definitely haven't published any links that would lead it to believe otherwise.
Have you searched google for
<Your IP>:22? I'm sure you haven't published it anywhere as you say, but any old idiot can put up a link to anywhere that googlebot can notice. Have you had this IP block for a while?It seems much less likely, though not impossible, that Google is starting to do something about the 'dark web' that they've talked about before (searching commonly non-firewalled ports for stealth webservers).
There's a no-useful-answer question on Google's forum from a couple years ago where somebody was seeing it on their mail server: