Login fails for user

My Nextcloud logs tells me that I have multiple login fails for user “Mainuser”.
So much so that when I try to log in, the login is delayed or I am locked out completely for a brief period of time.
But nothing is wrong with my password, and I have only 4 devices connected. All of them works fine.

So is this a unlawful hammering attempt? I so, why only this specific username?

Since Nextcloud is behind a (SWAG) Nginx proxy, I cannot see where the attempts are coming from, since it only shows the docker address.

The log says:

[core] Warning: Login failed: 'Mainuser' (Remote IP: '172.20.0.1')

PROPFIND /remote.php/webdav/
from 172.20.0.1 at 2022-11-01T13:40:32+00:00

What could cause this? Is there a way to show the real ip address of the failed attempts?

Thanks

PROPFIND is used by clients to retrieve changes - this happens especially (much more) often if there is no HPB in place - in this situation every client performs a PROPFIND every 30 sec (I think). so a client (e.g. browser session etc) with outdated password could result in repeated login failed messages and could trigger bruteforce protection as well.

As first step I would analyze the logs of your reverse proxy to identify faulty client, once you isolate this client you could verify your reverse proxy config and ensure right headers are forwarded and trusted by NC e.g. X-REAL-IP and X_FORWARDED-FOR so you can differentiate the clients in the application.