So you were DDoS’ed, in a way. Look in the logs what they were looking for. If this was WordPress, like all others, or Drupal or Joomla or something, then there is no reason to worry, these were automated bot scans. They simply stopped scanning your IP.
BTW, my errors started in December too.
However, if they were trying Nextcloud specific URLs or even usernames then it might mean someone zeroed in on you and they now know there is a Nextcloud server running at that IP and now they may quietly start trying Nextcloud specific hacks. So, double check your logs and your traffic. Most likely though, the bot just moved on to another target.
This is just the unavoidable side effect of trying to run a server that is opened to the world.
Over 20-25 years ago I was setting up an FTP server and for a brief period of 5-10 minutes where I mistakenly opened anonymous public uploads, someone started uploading warez and porn. 20 years ago when few people even had internet access. Imagine what kind of swamp the web is these days.
I realized I also see exclusively Microsoft IPs causing this. It’s a slightly different set of IPs than in the post above, but mostly from the same subnets and all I have checked with whois are from microsoft…
First of all: I’am a Nextcloud user searching for a solution for the ‘Exception HMAC does not match.’ error message. After scanning the discussion in this threat I looked to the HMAC error messages.
The IP addresses in these notifications are all from countries that are abroad to me. Most of these IP addresses appear to belong to the ISP Microsoft.
Because my Nextcloud users do not come from these IP addresses, I have decided to block these IP addresses in the firewall. For UFW, the command is:
ufw deny from ip-address