am I under attack ?

Quote from alvaronbg

should I do a clean installation?

That is ALWAYS best to do, it's hard to trust a system ever again if it have been in this situation, kind of like a cheating GF

So yes, that's what I'd do.

In general, when you expose ssh to the internet it is very common someone will find it and try to connect. It is an automated process where people search for vulnerable devices in the internet. If you use PublicKey authentication, you should actually be quite safe. You could also setup a fail2ban service that bans an ip after certain number of failed login attempts. It is also a good idea to not use default ports and not expose the port permanently but only when you need it. (Thats actually what I do, since I rarely need it anyway)

But still this is just hardening against common noob attacks. To some level, you are still vulnerable to serious attacks. At least such attacks occur very rarely, if at all, unless you are a worthwhile target. To protect yourself against this while still exposing ports, you would have to go to a lot more effort. Eg. companies have much more complex security / firewall concepts. But this is hardly worth it at home. At home, the most efficient and effective solution for secure permanent access is to allow it only via VPN.

Regarding your logs it is not the failed login attempts what looks strange for me, but the warning about IPs that have been added to your known hosts. I'm not a professional but could be that someone successfully did some nasty on your server. So I agree best solution may be to reinstall everything.

Maybe reverse lookup those IP addresses?

If I access my OMV from away, using a VPN / TOR on my devices obviously, I get all kids of IPs that I log in from and they show on my logs.

Maybe clear the log and look if there's a pattern of re-occurance (that's what I do with error codes on engine ECUs).

And maybe your OMV even shows up on Shodan, it might reveal vulnerabilities...