NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

pkellum's avatar
pkellum
Aspirant
Jan 09, 2026

Why is my Netgear router trying to hack my NAS?

I had this happen with another Netgear router and returned it and got another, but same thing.  The router is constantly trying to log into my Synology NAS using usernames like "user" and "admin".  I...
rs200
pkellum's avatar
pkellum
Aspirant
Jan 10, 2026

The usernames it is using to try and get into my NAS with are ones like "vagrant", "root", "mysql", and "andy" (for some weird reason...).  The online chat person says it is my NAS blocking the router, which it should, and that I should unblock all those usernames so the router can use them.  And then they disconnected the chat.

  • StephenB's avatar
    StephenB
    Guru - Experienced User
    Jan 10, 2026
    pkellum wrote:


    "The IP address [192.168.1.1] experienced 10 failed attempts when attempting to log in to SSH running on Synology418play within 5 minutes and was blocked..."

    The usernames it is using to try and get into my NAS with are ones like "vagrant", "root", "mysql", and "andy" 

     

    What model router are you using, and what firmware is it running?

     

    Are you seeing any attempts to log into other devices on your network?

     

    Is Armor enabled on the router?

    • pkellum's avatar
      pkellum
      Aspirant
      Jan 10, 2026

      Nighthawk Tri-Band WiFi 7 model RS280S.  Firmware: 1.0.5.22.  I have SSH disabled on most of my other devices except a couple game servers and I see the same attempts on those.  Everything is defaults and it looks like Armor was enabled when I set up the router.  

      • schumaku's avatar
        schumaku
        Guru - Experienced User
        Jan 11, 2026
        pkellum wrote:

        I have SSH disabled on most of my other devices except a couple game servers and I see the same attempts on those. 

         

        The first step in establishing an SSH (or SCP) session would be opening up a TCP connection. Which can't - unless some kind of SSH service listener is enabled on your NAS, waiting for a connection, including the possible vulnerability checking.

         

        Test with something like this to check if there is some listener on port 22 active on your NAS: 

         

        netstat -an | grep 22

         

  • schumaku's avatar
    schumaku
    Guru - Experienced User
    Jan 10, 2026

    The wonderful effects when some devices on the LAN are allowed to configure NAT port forwarding by UPnP. Beyond of what StephenB​ asked before, allow some more questions:

     

    Or do you have intentionally configured a port forwarding for ssh (Port 22/tcp) on the router?

     

    Does your router show the public IP address on the WAN port (Internet side), or is there another device like an Internet provider router doing NAT in front of the unspecified Netgear router - this is the typical dual NAT issue....

     

     

    • pkellum's avatar
      pkellum
      Aspirant
      Jan 10, 2026

      The router has no port forwarding set up at all so far, it's still at the defaults except for passwords.  The router shows NAT forwarding as secured.  I still don't understand how that would cause the router to try attempting to access my devices through SSH.  This didn't happen with my ASUS router.

      • StephenB's avatar
        StephenB
        Guru - Experienced User
        Jan 11, 2026
        pkellum wrote:

        The router has no port forwarding set up at all so far,

        is UPNP enabled?

         

         

        pkellum wrote:

        it looks like Armor was enabled when I set up the router

        I believe it does penetration testing, which would explain the symptoms.  So try disabling it.