NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Why is my Netgear router trying to hack my NAS?
I had this happen with another Netgear router and returned it and got another, but same thing. The router is constantly trying to log into my Synology NAS using usernames like "user" and "admin". I...
Intrusion detection is active for any service active on the Syno (or QNAP, or Asustor, ...) offering or requiring authentication. In this post is -must- be active, despite the OP claims SSH insists only enabled on devices requiring it - however, SSH access attempts are logged.
I was wondering if perhaps sftp or an rsync-over-ssh backup job is configured???
Remains the curiosity, how are there ssh packets reaching the NAS (behind of the NAT router on the LAN), and on which port
I think Armor's device scan is sending the packets and looking for vulnerabilities. So in fact they are coming from the router. But It's not a service I use, so I have no way to confirm.
Intrusion detection is active for any service active on the Syno (or QNAP, or Asustor, ...) offering or requiring authentication. In this post is -must- be active, despite the OP claims SSH insists only enabled on devices requiring it - however, SSH access attempts are logged.
"The IP address [192.168.1.1] experienced 10 failed attempts when attempting to log in to SSH running on Synology418play within 5 minutes and was blocked..."
...as per the initial post. 8-)
Nighthawk Tri-Band WiFi 7 model RS280S. Firmware: 1.0.5.22. I have SSH disabled on most of my other devices except a couple game servers and I see the same attempts on those.
Have spotted the point in the old thread StephenB referred. Love to fight variable targets...
Like the other post starter who can't understand, what is going on. Something to challenge Synology in case. Remains the curiosity, how are there ssh packets reaching the NAS (behind of the NAT router on the LAN), and on which port
I hope for Netgear the have not carried forward their old iptables NAT implementation bugs and errors to this decent router model.
Intrusion detection is active for any service active on the Syno (or QNAP, or Asustor, ...) offering or requiring authentication. In this post is -must- be active, despite the OP claims SSH insists only enabled on devices requiring it - however, SSH access attempts are logged.
I was wondering if perhaps sftp or an rsync-over-ssh backup job is configured???
Remains the curiosity, how are there ssh packets reaching the NAS (behind of the NAT router on the LAN), and on which port
I think Armor's device scan is sending the packets and looking for vulnerabilities. So in fact they are coming from the router. But It's not a service I use, so I have no way to confirm.
I think this might be the case after seeing many others posting about the same thing. It looks like Netgear's Armor service is spamming every SSH port it can find on the network, which is not how anyone should be coding this. I'm just going to disable this Armor hacking script and see what happens. It would be nice if Netgear would actually answer questions about this service, it's been an issue for years from the looks of it.